R.E.S.P.E.C.T.: The way for CISOs to get and keep it

big c little c
Credit: Shutterstock

While they have a “C” at the beginning of their title, CISOs are held in generally low regard in the executive suite. The way to reverse that, say those who are familiar with, or have held, the position, is to be more than a geek

If you’ve got a “C” at the beginning of your professional title, you’re at the top, or pretty close to it.

That, at least, is the perception of most people below the “C-suite” in an organization.

But, there is a hierarchy in the C-suite as well, and the Chief Information Security Officer (CISO) tends to be stuck at the low end of it, both in influence and respect.

That’s the finding of a survey by ThreatTrack Security, reported in a white paper titled, “No Respect: Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers.”

More specifically, the survey of 203 C-level executives at U.S. organizations employing a CISO found that a large majority (74%) thought CISOs didn’t even deserve a seat at the C-level table and viewed them primarily as, “a convenient scapegoat in the event of a data breach.”

Given the enormous importance of a CISO’s job – to protect the corporate “jewels” from theft or exposure – why is the position what some sardonically call “the Rodney Dangerfield” of the C-suite?

In casual terms, it seems to come down mainly to this: Being a geek isn’t enough.

The majority of executives surveyed believed their CISOs’ skillsets were too narrow for them to succeed as leaders outside of infosec.

Or, as ThreatTrack President John Lyons put it, “the corporate C-suite is a very competitive place. This finding underscores that many C-level peers view CISOs as one-dimensional – the ‘security guy’ only.”

john lyons

John Lyons, president of ThreatTrack

It has actually been worse than that for some time – a CISO and his or her team have for years been frequently viewed not only as “just security people,” but as an impediment to the effective functioning of a business, when they seek to impose security restrictions on workers.

A frequent complaint about CISOs is that they don’t know how to, “speak the language of business.”

And according to Lyons, that leads to a lack of respect. “Trying to enforce rigid security mandates and policies that others view as barriers to progress and productivity no longer works in today’s fast-paced, technology-driven corporate environments,” he said.

[ Five CISO skills critical to your success in the next five years ]

In short, to gain respect in the C-suite, CISOs have to work to be viewed as business enablers, not impediments.

“To be respected, CISOs must demonstrate their ability to view business problems from different and multiple lenses,” said Gus Anagnos, vice president of strategy and operations at Synack. “Security decisions can, and in most cases do, have a broad impact on a company.”

gus anagnos

Gus Anagnos, vice president of strategy and operations, Synack

He agreed that CISOs have to overcome the perception that they are introverted technocrats and little else. If they can’t discuss much outside of IT issues, “executive peers can interpret this as an inability to see and understand the big picture, leading them to conclude that CISOs are ill-equipped leaders,” Anagnos said.

That is the way Jason Clark, CISO at Accuvant, sees it as well. “To gain respect, the CISO needs to be a business-savvy executive who needs mentoring from either the CEO or CIO, or from another top CISO,” he said.

Dave Frymier, CISO at Unisys, agreed. “Any security – military, protecting the Pope, information security – is a balance between risk and usability,” he said. “Unless CISOs understand at least something about organizational objectives and business needs, they won’t be able to make, or explain, that tradeoff in a meaningful way.”

Chris Wysopal, cofounder, CTO and CISO of Veracode, has a similar message. He said CISOs should, “focus their attention on ideas that truly add to top-line business value. Understanding how to position security as an enabler for winning, serving and retaining business for the enterprise is essential,” he said.

chris wysopal

Chris Wysopal, cofounder, CTO and CISO, Veracode

He added that part of the problem is that the CISO role, “is relatively new and currently being defined compared to the more established C-level executive roles. What CISOs are discovering is that their security skillset is only part of what is needed for longevity.”

1 2 Page 1
Insider: These ransomware situations can result in colossal outcomes
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies