How to communicate the value of security in a more effective way
The CISO Challenge of communicating value
This blog starts a series of articles about what the Chief Information Security Officer should do, be and have. These blogs aim to provide an answer to the many challenges CISOs face on a daily basis. The results are obtained through interviews with CISOs. This blog provides an answer on how a CISO should communicate his or her contribution to strategic goals.
Noah Brandwijk - 23 February 2017
The rise of the CISO
The role of the CISO (Chief Information Security Officer) continues to grow in importance in many organizations. However as the CISO continues to rise, the need for executive support also develops. In order to gain this executive support numerous methods have been developed. Nonetheless the value of security often goes unrecognized. Therefore the CISO doesn’t receive the support needed to effectively manage cyber risk.
The current method of communicating security value
The CISO has a history of only telling what is wrong with the organization and spreading fear, uncertainty and doubt (FUD). Yet in recent years the narrative of the CISO changed to that of a business enabler. On account of this change, the CISO is actively trying to communicate the value of security. The content of this communication frequently consists of the state and value of security. Moreover, this security value is communicated in security improvements and how these improvements helped the business.
The gap between current security practices
As the CISO rises within organizations, the functions where the CISO reports to also gain rank. Whereas in some cases the CISO reports to the CEO or the board. According to our CISO Challenge research these levels ask for different information from the CISO. Specifically, these functions highlight the need for information that is necessary to make an executive decision about security. The business receives security benefit in business terms. However, even if the benefit is communicated in business terms the business doesn’t receive the real contribution of the CISO.
The contribution of the CISO to strategic goals
You could argue that the value of security is that the business keeps functioning. In addition there is no concrete evidence available to prove that the CISO is directly adding value to the business. Therefore there is no direct contribution of the CISO to the business and this value can’t be communicated. However, communicating the indirect contribution is what should be done. The indirect contribution of the CISO originates from preventing impact on the reachability of strategic goals. In addition the CISO adds value to the enterprise by supporting the realization of business goals and projects.
Communicating the contribution
The issue with communicating a contribution such as preventing impact is that the benefit is intangible. In order to make the benefit tangible the CISO needs data to support him or her. According to our CISO Challenge research the CISO should communicate security initiatives with measurable security goals and the weight of risks. Furthermore these security goals should be created with a benefit to the strategic goals in mind. A security initiative should contain a measurable success condition that upon success contributes to the reachability of strategic goals. This provides the business with an incentive for security investment. In order for the business to recognize the impact of a risk, the CISO should communicate the influence of a risk to the reachability of a strategic goal.
For example, a CISO minimizes a risk that impacts a critical system that could lead to missing important deliveries. This impact threatened the reachability of a revenue target of the department. By minimizing the risk, the success condition to reach the revenue target is fulfilled. Furthermore, this also means that the impact to the reachability strategic goal of increasing the revenue for the whole organization is prevented. This example can both be used to illustrate the weight of the risk and define the measurable value of security.
The benefit for the security leadership
By effectively communicating the impact prevented to the reachability of business goals, the CISO can gain the support needed to secure budget and resources, necessary to effectively manage cyber risk. Additionally security initiatives receive more of the support needed to contribute and facilitate the creation of value. Thus, the CISO should communicate his or her contribution to the strategic goals in order to effectively manage cyber risk. I personally believe this method helps everyone communicate the value of security more effectively and benefit from this.
The first CISO Challenge of a series
In order to clarify how a CISO can approach the challenges of today, we started a new series about these challenges with this first article. Future challenges will be about topics such as necessary actions for a new CISO and touch on the IT experience a CISO needs in order to be a security leader. The challenges contain input from CISOs and reflect the current situation of cyber security.
More information on Chief Information Security Officer?
Do you want to know more on CISO Challenges? Please contact Noah Brandwijk at +31 (0)88 2885250