How CISOs become business leaders

What’s the difference between a company that has a CISO and one where the IT security manager is the highest ranked security professional? Some might say a CISO has a broader range of responsibilities, but the real answer is leadership.

A recent ESG study found that communication and leadership skills were the two most important qualities of a successful CISO. Technical acumen was far less important in the eyes of the respondents than the ability to get the right messages across.

If the CISO being a peer of the CIO is going to ever become the norm –  just 12% of UK CIOs say that the CISO is their peer within their organization – security professionals need to learn skills beyond the security function and how to be business leaders.

CISO need to consider the goals of the business, too

While you often hear about the concept of the security function becoming an enabler instead of a cost center or barrier, Killian Faughnan, group CISO for UK betting firm William Hill, says the role of the CISO is rarely the business leader or enabler the industry wants it to be. “We spend our time talking about being business leaders. It’s probably the most repeated phrase you come across: Security people need to business leaders,” he says

William Hill

However, compared to more established roles — including the CIO — the CISO is often stuck on the sidelines because it’s not a role that is usually driving the business forward. “If you look at the top table, everyone there for the most part are there to drive the business forward, people who have come to some commercial reason for being there, whereas we tend to be much more on the side,” says Faughnan. “You’re not really a business leader if you’re not really sitting on the right boards and committees. You’re not really leading from the front.”

The reason for this is that CISOs too often aren’t thinking about how the decisions they make are going to propel the business. “The entire point of business it to make money,” says Faughnan. “Business is there do business, not security. You need to be thinking the fact that your decisions in terms of where you deploy resources, are business decisions and they impact everyone else. If you take £1 million from the pot, not only is that money that someone else isn’t getting but that may be £1 million that could have been turned into £5 million by someone else’s department.”

“You need to ensure that the behaviors and outcomes you’re driving are coming from the goals of the business and not the goals of the security industry,” he adds. “Obviously, we’re there to do security, but if you are delivering your goals at the expense of business, well, that’s a failure.”

Market yourself and your goals to the board

One business skill CISOs need to learn is marketing. While they might not be promoting to outsiders, every time a CISO talks to the board they are marketing themselves and their function. Presenting at InfoSecurity Europe conference in London, Faughnan told the audience that when presenting to the board — whether it’s updates or requests for resources — this is actually a marketing exercise. “We’re marketing a product to our customer,” he said. “Security is our product.”

“You don’t need to understand security to understand marketing,” he tells CSO afterwards, “in fact it just gets in the way. All that will happen is you will focus on the stuff you know to the exclusion of the stuff you need to learn. Marketing is its own discipline for a very good reason.”

Faughnan learned this lesson after realizing his own presentations were falling flat. Treating talking to the board more like a marketing campaign allowed him to think more closely about messaging. “I had too many charts and too many graphs, and I was putting too much information in there, and I could just see they were glazing over when I was telling them about all the important things I was doing,” he says. “They’re quite happy to sit there and take it but they weren’t leaving feeling energized about it.”

To think like a marketeer, Faughnan recommends that you learn basic marketing principles such as the Four Ps, the Ansoff matrix, product lifecycles, and even self-presentation. “If you’re selling a particular pitch, you’re selling a vision, and that vision will come from your product. You will have a product lifecycle for each thing you try and sell to the board.”

“You are as much a part of that product as anything else,” he continues. “That includes how you dress. In a bank you’d probably go full suited and booted. If you’re in a more casual company where no one wears a tie and show up in that environment with a suit and a tie, you’ll be the odd one out.”

Keep your messaging short, focus on what’s most important

In his talk, Faughnan said CISO’s should ultimately aim to get their board presentations down to one slide that says whether the company is doing well, middling or not well. He acknowledges it is an unrealistic goal but should still be a target that will encourage you to keep messaging condensed. “Data has its place, but that place is mostly in your dashboards. Your job is to take that data and crunch it down to something meaningful and be able to present that to the board in a way which makes them feel that you know what you’re doing,” he says. “You can be giving the same information as the last guy, but you can present it in a completely different way.”

In reality, CISOs should try to keep their presentations down to three slides and just three messages. Any more than that and the board is likely to lose focus. “When you present to a board 30 pages of stuff, what you’re telling them is ‘I couldn’t be bothered to work through this to figure out what the most important bits are, I’ve just given it all to look through at your leisure.’ They’re busy people, they’re running entire companies. You only have 15 minutes, and in 15 minutes you can probably get three good ideas across.”

“The hardest thing for me was getting used to the idea that I’m there to give the board what they want, not what I want them to want. They’re quite different things.”  

And what they want, he says, is one number; a single metric or scale that can represent the state of a company’s security. “I had five, ten, 15 metrics of the most important [things] we were worried about, and they were like, ‘Can you give us one number for that?’ They want some way for you to crunch all the data, all the graph, all the information, and come back to them with something which sits on a scale and says we’re doing well or we’re doing not well. That’s it.”

Like the one-slide presentation, it may be an unachievable goal, but by always aiming for that target, CISOs will be able to keep their messages short and to the point.

Study business, seek help from other business disciplines

While taking a marketing approach to presenting to the board is something that’s helped Faughnan, it’s only one aspect of transforming the CISO from a security role on the sides into what he describes as a leader of business. “We [security professionals] all come up through the same ladders and have the same view on things. We tend to be very straight-edge and governance focused in a lot of respects. We’re very technology-delivery and technology focused because we don’t come from business backgrounds.”

To broaden his thinking, Faughnan did an MBA course. Studying business, he says, allowed him to expand his vocabulary beyond technology and security and understand business concepts. “I could never understand why we never delivered on what the business wanted. It’s because we all speak slightly different versions of the same language, which have slightly different meanings.”

“People don’t consider the fact that there are valuable things they can [learn] elsewhere,” he says. “If you’re doing marketing to the board, go and learn about marketing. If you’re going to talk about finance to the board, go and learn about financing. If you’re going to be doing the budgeting, being a security professional doesn’t mean you can do budgets, go learn about it from people who do it and go do a budgeting course.”

While he admits that being a security leader requires today’s CISO to wear a lot of different hats, Faughnan counters that you don’t have to know everything about these subjects, merely have an understanding of them and their value. “We don’t need to be experts in everything, and don’t be afraid to ask for help. If you’re doing an internal campaign, talk to internal communications. If you want to do some marketing, talk to your market department. Same with HR. You want to [do] cultural change, work with them on the broader cultural change programs.”