Articles
>
Being a CISO means supporting the business!

Being a CISO means supporting the business!

In many organizations, the CISO is still perceived as a technician, or as "the expert who says no." CISOs therefore face a major challenge in demonstrating that security is not a cost, but rather an investment in securing the future of the company. There is only one solution to this challenge: having a clear idea of the stance to take and positioning oneself as a business facilitator on a daily basis.

October 9, 2022
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Why the CISO is responsible for supporting the business

Do you know the story of the three stonemasons who were asked about their work? Although they all perform the same task, each gives a different answer. One said he was cutting stone, another said he was building a wall, while the third was enthusiastic about the idea of building a cathedral. This allegory illustrates the latitude given to CISOs in designing their mission, and the importance for them to ask themselves an essential question...

Why focus on security?

In 2010, Simon Sinek, a British speaker and author of numerous books on management and motivation, gave a TED Talk that quickly became one of the most viewed in the world. In it, he develops the "WHY" theory, which is well known in the world of marketing and personal development.

His idea? Start from the principle that we should not think in terms of what we do (the "WHAT"), but why we do it. There are two reasons for this:

  • Knowing why we act gives meaning to our actions and thus provides a source of personal motivation.
  • It is also a powerful tool for communicating and engaging your audience, because (as Simon Sinek says) "people don't buy what you do, they buy why you do it."

When it comes to cybersecurity, CISOs therefore have work to do in terms of defining their role. Are we providing security for:

  • identify threats,
  • implement tools,
  • Or just to protect the company?

The answer is no! Let's look at things from the perspective of a cathedral builder, and consider instead that the CISO is not "the one who limits the damage." Rather, he or she is the one who supports the business, both by protecting it and by helping it to grow in a secure environment.

Business as the gateway to the CISO role

What does supporting the business mean in the daily life of a CISO? This role can and should take shape in several ways, including but not limited to the following.

  • "Think" business

It is impossible to claim to support an activity without knowing and understanding it perfectly! CISOs must therefore take ownership of the subject by seeking answers to a number of questions as soon as they take up their position.

For example: What is the business model? Where does the company generate margins? Where does it lose them? What are the most significant risks to the business?

  • "Talking" business 

The CISO is often the only person in the organization who understands cybersecurity issues and has a clear vision of the actions that need to be taken to protect the business and its competitiveness in the face of threats. They must therefore make themselves understood in order to be followed by decision-makers! Regardless of the industry, it is therefore in every CISO's best interest to adopt "business language." In other words, they should stop talking about "cyber threats" and start talking about "business risks" instead.

  • Cover risks appropriately

Let's be clear: no, not all of an organization's activities need to be protected to the maximum degree! The CISO's approach must take into account not only the risk, but also the specific constraints of the business (both material and financial). Neither too much nor too little... this is the right balance to allow the company to develop in a secure environment, with constraints limited to what is strictly necessary.

  • Promoting a culture of safety within the company

It is illusory to think that the security of the company can rest solely on the shoulders of the CISO. Shadow IT, everyday negligence, overly simple passwords... all employees can engage in behaviors that weaken the company, and everyone has a role to play! Supporting the business therefore means being able to get all stakeholders on board with this approach, through relevant and engaging awareness-raising initiatives.

How can a CISO support the business on a daily basis?

Few CISOs have been required to take business management training as part of their studies. Does this mean that many of them are unable to advise their managers because they lack the necessary skills? Fortunately not, because the job of CISO, now more than ever, relies much more on interpersonal skills than on technical expertise.

The essential soft skills for being a CISO

The role of CISO is complex and cross-functional. What do executives expect from them?

A study published in May 2020 by Devoteam, conducted among approximately 600 executives from European and Middle Eastern companies with more than 500 employees, provides some answers. For example, the executives surveyed believe that a CISO must cooperate with business units to ensure that their activities fall within an acceptable risk framework (47% of responses), but also reduce the likelihood of threats to the company and its assets (45% of responses).

The CISO is therefore not expected to focus solely on technical matters!

  • Curiosity 

Asking questions, meeting with departments and teams, learning about concepts specific to the business... it is by taking an interest in their environment and practicing active listening that CISOs can truly tailor their approach and proposals to the business.

  • Communication and marketing

If there is one thing that CISOs would benefit from learning, it is how to "sell" their ideas and solutions! While executives are increasingly concerned about cybersecurity, what they need above all is to feel involved and to understand the CISO's message quickly and easily. This message should no longer be technical, but impactful, recycling the most basic marketing techniques: speaking the same language as your audience, supporting rather than imposing, and not hesitating to add storytelling to your presentations!

  • Diplomacy and a sense of consensus 

Business leaders want to move quickly (time-to-market), even if it means sacrificing security at times. Given this reality, the role of the CISO can no longer consist of systematic opposition and must evolve toward greater compromise, adopting a method of small steps and making decisions based on risk.

Developing the role of CISO in practice

Are you familiar with the chessboard method? Used to optimize commercial efficiency in complex sales, it can easily be adopted by any CISO who wants to "weave their web" and think big!

Here are three steps that the CISO can work on as soon as they join a company.

  • Step 1: Map out the environment by conducting a thorough investigation. How does the organization work? Who does what? This detailed knowledge of the company and its inner workings makes it possible to identify the drivers and obstacles to be taken into account in cybersecurity measures.
  • Step 2: Build relationships by taking advantage of every opportunity, from regular office visits to informal chats at the coffee machine. All these interactions are a great way to identify those who will be the "champions" of security within the company, so that the CISO can have "relays" at all levels of the organization.
  • Step 3: Maintain your personal brand image. Stay in touch with early adopters and thank them, show empathy towards employees who are most resistant to change and support them, know how to be discreet while ensuring that your work is recognized as outstanding... on a daily basis, the CISO must bring together an entire community. The quality of the relationships they build and the image they project are therefore essential!

‍

Tenacity in revealing the added value of the CISO

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020