How security executives can feel comfortable in the boardroom and server room

Successful CSOs and CISOs need to clearly articulate the importance of security to non-technical executives, show how security can help a company achieve its business goals and balance security with innovation.

boardroom presentation
Thinkstock

With information security being a major concern at all companies, successful security executives need to be equally comfortable in the boardroom and the server room. While being well-versed in traditional security duties, like developing incident response plans and knowing what technology will keep the bad guys at bay, is still essential, CISOs and CSOs also need to know how security factors into the business’ operations.

Three skills that are essential for future leaders to master are being able to clearly articulate the importance of security to non-technical executives, show how security can help a company achieve its business goals and balance security with innovation. These skills are consistently mentioned by CEOs and CSOs when we’re discussing how business and security leaders can work better together.

Frame security in terms of risk to the business

Spewing technical terms to business executives and corporate boards won’t help CISOs convey the importance of security. C-suite executives and board members speak the language of revenue, profit margins and budgets, not firewalls, SIEMS and incident response.

To reach these audiences, security concerns need to be presented in the context of risk to the company. This is one area where security and business executives have a strong, mutual interest. Business executives want to avoid it while security executives handle mitigating it.

For security executives, this means explaining what risks the company could face it doesn’t enact certain security policies or take specific measures. Board members may not grasp why a CISO is pleading for a budget increase to purchase endpoint visibility software. But they will understand that without that software the company’s intellectual property may end up with a competitor if a hacker infiltrates the network, remains undetected for months and exfiltrates sensitive data. Explain the impact of the risk and avoid a technical discussion on the technology you plan to use.

Learn how security can help the company overcome obstacles

Successful security executive understand the challenges their company faces and how they can help overcome them. Learning what these challenges are requires CISOs and CSOs to unchain themselves from their desks and talk to other executives, department head and rank-and-file employees. Ask how the security team has failed them in the past and solicit ideas on how to alleviate obstacles that have prevented people from completing their jobs.

This exercise requires keen listening skills and a degree of humility. You may know how to reverse engineer malware, setup a firewall and all things related to information security. But you may not know about projects that should include the input of someone from the security team. For example, a CISO may not be aware that the product team is developing a mobile app that will ask users to input personally identifiable information. For security types, incorporating security features into the app before thousands of people download it is obviously preferable to trying to retroactively add it following an incident. But you may never know about that app until after it’s launched if you spend most of your day sitting at a desk. Information security can’t be conducted in a silo.

Add security early on to preserve innovation

Listening and talking to people outside of the IT and security are also helpful in overcoming the perennial challenge of balancing security and innovation. Ideally, security should be incorporated from the start of a project. However, security is frequently seen as a hindrance to development and overlooked.

But by talking to co-workers, security executives can learn what other departments are up to and raise security concerns before a project is finished. The earlier security is considered, the better. Security professionals can offer flexible and adaptable solutions that preserve innovation as well as keep a product secure. Soliciting security’s advice with a project deadline looming or when a product is nearly complete leaves limited security options. In these situations, security can appear to stifle innovation.

A corporate culture that embraces security also helps companies balance security and innovation. This culture should grow over time as security departments show that security and innovation can co-exist. The other way to develop a security-focused culture is by having executives emphasize the importance of security. Again, this mindset is possible if security executives talk about security in the context of risk to the business and avoid technical terms.

For security leaders to excel in their jobs they need to understand that their duties include much more than patching software. They’re also required to explain why security matters in a way that resonates with people from across an organization and figure out how security can help, not stymie, innovation.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!