In a story slow to fade away, Target recently announced the hiring of their first-ever CISO in the wake of the data breach last holiday season. Focus immediately turned to the reporting structure, lamenting the CIO-as-boss as a terrible mistake.
The focus is misplaced.
The discussion about reporting structure is a proxy for effectiveness. We tackled this, briefly, on the DtR Security Newscast this week (listen in at the 44:15 mark for the Target discussion).
No two organizations are the same, and various reporting structures are successful. More important than who the CISO reports to are the skills they possess.
In the recent Cyber War Strategic Exercise (CWSX) (read more about it here), one of the findings that stood out what the realization that success requires politics and media. Manipulation of media is essential.
The takeaway for security professionals is the need to be practiced at organizational politics with the ability to effectively communicate value. While the notion of office politics makes many wrinkle their face in disgust, leaders are expected to be able to see other perspectives and work within the organization to lead change.
That means an effective CISO commands more than a knowledge of security and risk, but also an understanding of the business. They must possess an ability to measure and demonstrate value to a variety of audiences.
Ultimately, it doesn’t matter who they report to. It only matters if they are able to serve the business through demonstrable improvements in security, and in value.
The skills that matter
Over the last two decades, I’ve advised CISOs in organizations of various sizes, across a variety of industries. While an overwhelming majority reported to a CIO, some reported to the CFO (a trend I’ve seen accelerating in recent years), and others reported to risk boards, the CTO, and a few even reported through rather unique structures (like legal).
Regardless of the reporting structure, successful CISOs understand security, embrace the business, and:
- Understand the politics: adopt an attitude of service without being subservient and learn what matters most to the business and our colleagues
- Focus on advancing top priorities that protect and support key business initiatives; the objective is to enable faster movement and better returns while increasing protection in the right measure
- Establish and demonstrate value; it’s no longer optional, it’s imperative to routinely understand the value of actions and programs, connecting the value to the people we serve in their context (or one mutually understood)
- Measure what matters - prove the return on investment. Stop buying into the myth that the investment in security cannot be measured. That’s the same sort of thinking that focuses on who we report to instead of what we need to be successful.
- Communicate what counts: the key is sharing what the audience needs to know, in the way they best absorb it (instead of trying to tell them everything we know, or impress them with technical jargon and concepts).
The pathway to success
Many CISOs rose through the ranks on the merit of their technical skills. That means learning to embrace politics, emphasize value to the business, and master the principles of effective communication. Sometimes the journey to change is uncomfortable, but the new skills are worth it.
It starts with a new mindset.
Embrace your role as a facilitator. Less protector, less hero, more contributor. Learn to discover what is important, influence outcomes that improve the business and offer better protection.
It also means asking for help. Our colleagues in the executive suite routinely seek training, coaches, and advisors to help them reach higher levels of performance. What about you?