lassedesignen - Fotolia
How can the CISO become a business enabler?
For a cybersecurity program to be effective, CISOs must be viewed as business enablers. Kudelski Security's John Hellickson offers tips on how CISOs can make the transformation.
For a security program to be successful, organizations must view security as a business enabler and not as a roadblock. This requires CISOs to help the C-suite and members of the board understand the role of security and why it's important they are aware of cyber-risks and threats.
In this Ask the Expert, John Hellickson, managing director of global strategy and governance at Kudelski Security, offers tips on how CISOs can become business enablers. Hellickson explains that it's imperative for CISOs to cultivate knowledge about their organization's objectives, challenges and processes to help steer valuable conversations about cybersecurity. He also stresses the need to include executive leadership when crafting a long-term cybersecurity strategy.
In what ways can a CISO become a business enabler?
John Hellickson: The first thing that comes to mind is to fully understand the organization's strategic goals and mission, along with the business responsibilities and challenges each C-suite and executive leader has on a day-to-day basis.
The CISO should realize that every C-suite member has a different perspective about top risks for the organization and shouldn't assume that cybersecurity trumps all other risks. If the CISO understands the key products and business processes, and how their security controls enhance or ensure availability of those products and processes, they could have more rich and meaningful conversations with those business leaders to pave the way for future support when security initiatives may have an impact on people or processes of that business leader's organization.
Another often overlooked element is the transparency of the cybersecurity program and its multiyear strategy. Providing C-suite members the opportunity to share their top challenges and concerns, as well as their thoughts on cybersecurity prior to developing a multiyear cybersecurity roadmap is crucial, even if their input doesn't have a material impact on that roadmap. Linking cybersecurity initiatives to business outcomes that provide value beyond just protecting the organization, while helping the organization achieve its goals and objectives, is an easy way to demonstrate business alignment and value.