The following vignette was the catalyst for multiple conversations between the authors about why it’s as important for today’s CISO to be a business leader as it is for them to be security professionals. While being a security professional is a fundamental expectation for getting hired, being a business professional is something the CISO must proactively learn if they want to be recognized as a member of the executive team.
One of the most embarrassing moments of my life occurred when a CISO colleague invited me to give a cyber-intelligence briefing to his Board of Directors. Following the presentation, my colleague gave his quarterly security update to the Board. After his presentation, he was getting a few questions and was honestly not doing too well. He began getting a little flustered because the questions were skewing specifically towards the business and out of his security comfort-zone. Finally, the Chairman asked him, “Do you understand how we generate revenue?” My colleague was speechless, and to say the conversation went sideways quickly is an understatement. It was a horrible experience for everyone in the room, but one of the best lessons I’ve ever seen about the importance of why the chief information security officer should be a student of the business and understand how the company makes money.
Over the course of our security careers, we’ve talked to hundreds of people and are universally surprised that so few CISOs are adequately versed in the actual business of their organization. The vast majority of talks, presentations, and conversations at security-related conferences focus on technology, certifications, and policies; it's rare to hear security people talk at any level of detail about the many factors that contribute to revenue in their business.
Earning a seat at the table
While most people land a CISO or senior security job through their knowledge of risk, security technology, and understanding the security threats facing the company, that doesn’t earn them a seat at the executive table. Like it or not, security is not foundational to generating revenue in most companies, so security competes for visibility with executive leadership. CISOs are most often still perceived as technology geeks who don’t think broadly enough to be part of the business conversation.
CISOs have been trying to make the case for the past 20 years that they deserve to be part of the executive leadership team, but most security professionals have simply not done their homework to take advantage of the opportunity. We often talk about security risk, in which most CISOs are fairly well-versed. But what about other business risks such as competitive risk, inflationary risk, market risk, political risk, operational risk, or regulatory risks outside of things like GDPR, CCPA, HIPAA, or PCI? These are the kinds of risks business leaders think about every day and expectations are growing that, while CISOs don’t necessarily need to be experts, they at least need to be conversant in those discussions.
We believe that security leaders must understand the fundamentals of how their company generates revenue in order to properly evaluate what security programs are appropriate for their company. They must understand both how the business makes money and the processes that create value.
Understanding revenue and value
Most business models are fairly simple: Sell a product or service for more than it costs to make the product or deliver the service. For example, an online retailer buys a computer from a supplier and then resells the computer to a consumer at a higher price than the purchase cost. The successful retailer understands how those sales work and is well versed in the inventory-in versus inventory-out model, as well as the geographic and demographic posture of those sales. An oil company or an electricity company must sell their barrel of oil or kilowatt-hour of electricity for more than the total cost to produce it, accounting for all of the tangible and intangible factors that go into that production.
Value is a bit more complex. If you work for a company that manufactures skateboards, there’s much more to the business conversation than simply taking a piece of wood or fiberglass and adding four wheels.
- How do you build a better skateboard than the competition?
- Do you have intellectual property that needs to be protected?
- What demographic groups buy your skateboards and how do you market to them?
- What legislative, environmental, and tax-related regulations must be followed before a skateboard is packaged and leaves the factory?
The better a CISO understands all the secret ingredients, the better they can build a security program to protect it. Risks are different for different sectors of the economy and the CISO also needs to understand value to properly evaluate security risks in a way that management and the board will understand.
The case for security-business alignment
When a security executive with vision really understands the business, the security program will align with what is most important to the company. Monitoring how the business is doing and having a security program that is agile enough to react to changes in the market allows for true and appropriate risk mitigations.
When you understand your business, your security program will make sense to the executive team and they will value and respect security more because alignment with the business will be obvious. That’s how CISOs earn a seat at the executive table.