• United States



Mary K. Pratt
Contributing writer

10 value-adds that CISOs can deliver

Sep 07, 20209 mins
CareersRisk ManagementSecurity

Savvy security chiefs are generating returns for their organizations beyond enabling secure business operations. Here's how they do it.

business leadership / double-exposure of a woman with laptop and phone, city skyline + abstract data
Credit: Metamorworks / MicroStockHub / Getty Images

Like all executives, CISOs are facing pressure to demonstrate the value that they and their teams provide to their organizations.

Many, however, say they still struggle to do that.

Only 52% of CISOs say that they feel their fellow executives value the security team from a revenue and brand protection standpoint, according to the report Life Inside the Perimeter: Understanding the Modern CISO from Nominet, the registry for .uk domain names.

Yet leading security experts say CISOs are indeed generating value for their organizations by enabling business to operate securely. Some CISOs, meanwhile, are delivering additional returns through value-add activities: They’re decreasing costs, opening new strategic opportunities and even increasing revenue through their various initiatives.

“We see lots of opportunity for CISOs to bring value to the organization,” says Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS).

Here are 10 examples of where CISOs can deliver extra returns:

Bring better order to organizational data

Tony Buffomante, the global cybersecurity practice co-leader and principal at KPMG, says CISOs have an opportunity to bring value-adds beyond security services because of their visibility across the organization.

Tony Buffomante, Global Cyber Security practice Co-Leader and Principal, KPMG Tony Buffomante

He cites one case, where KPMG worked with a major financial institution’s CISO to assess risk around its data. In doing that assessment, the CISO found that collected data was not being used as well as data in multiple locations.

The CISO and KPMG first scored the data elements as part of the risk and security assessments. Then they documented whether the various date elements were useful for competitive advantage, whether they exist in multiple places, and also whether any were actually used in multiple places.

The CISO also shared his insights with IT, which then eliminated redundancies and reduced the data footprint — a move that saved the company cash while also limiting security risk. Meanwhile, the firm’s marketing department used the CISO’s insights on the data to more tightly target its work.

“It was the CISO bringing insight into the data, which enabled the business to think about the way to make that data more valuable,” Buffomante explains.

Identify policy and procedural lapses

As part of standard security reviews, CISOs typically find gaps in their own procedures and protocols; they can use that same process to spot lapses in related areas as a way to bring additional value to their organizations.

Gregory J. Touhill, adjunct faculty member, Carnegie Mellon University’s Heinz College of Informatio Gregory J. Touhill

“That’s something all of us should be embracing: ways to make the whole organization better,” says Gregory J. Touhill, adjunct faculty member at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy and retired U.S. Air Force brigadier general who served as the first federal government CISO during the Obama administration.

Touhill speaks from experience. He cites one particular incident during a consulting engagement, when one of his security analysts caught and investigated anomalous activities that indicated a problem with the vetting and onboarding of new personnel.

“It was outside of their lane, but they raised the alert, and as a result we improved the onboarding process,” Touhill says.

Of course, bringing such issues to another executive’s attention requires the CISO to draw on his or her best diplomatic skills, but as Touhill notes “you owe it to the organization to address it.”

Spot superfluous spending

CISOs are already on the lookout for superfluous technology in case it presents a security risk, but veteran security executive Gene Fredriksen says security leaders who identify unnecessary technology spend can help organizations keep their budgets in check.

Gene Fredriksen Gene Fredriksen

“Spinning up a server is so easy now that it’s cloud based, but every time someone spins up a server with an app on it, the organization has to pay somebody, so when it’s time for a license audit, [executives] are often in shock,” says Fredriksen, the executive director of the National Credit Union Information Sharing & Analysis Organization (NCU-ISAO) and cybersecurity principal for Pure IT Credit Union Services.

Lend skills to IP protection

Identifying intellectual property that isn’t adequately protected “typically has not been a CISO’s role, but they can contribute here,” says Pamela Gupta, president of OutSecure Inc. and a member of Women in CyberSecurity (WiCyS).

Pamela Gupta Pamela Gupta

Gupta worked with one CISO who had been tasked with implementing controls around the company’s financial and credit card data but saw through that process a need for increased security around the company’s IP.

“I’m seeing that even large organizations aren’t taking a risk-based approach to protecting IP and connecting the dots across the organization,” Gupta says, adding that CISOs who can apply their risk-based training to appropriately identify and secure IP would be providing an invaluable service.

Make security a selling point

Both everyday consumers buying something off the shelf and executives negotiating a vendor contract want to do business with organizations that are secure, Pearlson says. And they’re increasingly looking for proof that of that security.

Dr. Keri Pearlson Dr. Keri Pearlson

“Being able to say your organization is secure can be a revenue-generator,” Pearlson adds. This presents an opportunity for CISOs. “If I as a CISO can show you my company is more secure, then I open up a strategic opportunity for you to do business with me.”

She says she worked with a company incorporating digital components into their products; its CISO expanded his scope of work from securing internal systems to working with product development on security features.

“The CISO had an opportunity and seized it to participate at the product development level,” she adds. “That’s not a traditional role for CISOs, but they can have a significant impact there, especially as we move forward and everything has a digital component to it.”

Build bridges

CISOs, like their CIO and CFO peers, work across the entire enterprise and thus have the opportunity to build relationships throughout it. That positions the CISO to be an ambassador, says Brennan P. Baybeck, a veteran security leader and immediate past board chair of ISACA, a professional association focused on IT governance.

Brennan P. Baybeck Brennan P. Baybeck

He notes that the CISO’s job involves nearly the full range of executive and strategic areas — from data-related issues to legal, privacy and governance as well as, of course security. And as such are tasked to partner with many others to find solutions.

“They can see things that need work and can work within companies to improve those areas,” says Baybeck, who is also the CISO for customer services at Oracle Corp.

He advises CISOs to leverage that experience to play mediator across functions and to help the enterprise better manage risk by breaking down remaining siloes and building networks between divisions.

Help out partners

Similarly, Fredriksen sees an opportunity for CISOs to work with their organization’s own business partners — work that can pay back the effort by ensuring and strengthening security throughout the supply chain.

He says as a CISO he held security seminars for suppliers and distributors who weren’t large enough to hold their own and he shared with them security alerts and compliance updates for similar reasons.

“You need to share best practices because together we all get better,” he adds.

Find, promote opportunities for standardization

Michael D. Weisberg, CISO at IT services firm Garnet River LLC, was advising a CISO at a large enterprise that had implemented different systems to process payments arriving from different points. The organization had 23 different platforms to handle the same process — a scenario that not only created costly complexity for the CISO but also unnecessary complexity for the technologists who had to support all those systems.

Michael D. Weisberg Michael D. Weisberg

Recognizing the burden that those different systems put on the organization, the CISO created a single framework that standardized security and technology requirements across all of them. Both the organization as a whole and the CISO himself benefited from the standardization work.

“It requires less staff to maintain a functional environment that is standardized, and it’s easier by far to secure an efficient environment,” Weisberg says.

Shape strategic plans

As CISOs continue their evolution into executive partners advising their C-Suite counterparts on cybersecurity issues, there’s a push for CISOs to shape more of the organization’s strategic plans.

Derrick A. Butts, Chief Information and Cybersecurity Officer, IT Truth Initiative Derrick A. Butts

“It’s about being aligned with the vision of the organization and helping to save money and improve the workflow for employees across the board,” says Derrick A. Butts, chief information and cybersecurity officer for Truth Initiative, a nonprofit tobacco control organization

Butts has seen how that can strategic work pay dividends.

He points to his work on plans to move into a new building five years ago. Although facilities management may not seem like CISO territory, he joined discussions early and influenced the networking infrastructure going into the new space. Butts advised his colleagues to add features to the networking infrastructure that would enable a high volume of telework as well as enable security for that remote work, persuading the other executives that the plan would ensure business continuity if an event, such as a large snowstorm, shut down the entire office.

The value of Butts’ involvement in the planning became clear when the COVID-19 pandemic hit, as workers at his firm seamlessly and rapidly transitioned to a remote work environment.

“We didn’t have to reassess and bring in new systems to make telework work. We were already there. We were able to do business as usual,” Butts adds.

Streamline regulatory controls

As lawmakers and private entities enact more and more security and privacy regulations, such as the California Consumer Protection Act, organizations must implement their own controls in order to comply.

But because regulations come staggered over time, many executives have dealt with them one by one — an approach that often leads to complex, redundant controls and related processes.

Mike Johnson, CISO, Fastly Mike Johnson

Mike Johnson, CISO at Fastly, a cloud computing provider, says security leaders, given their involvement across all sorts of regulatory obligations, can often identify ways to streamline those controls.

“CISOs can bring value-add by streamlining security related operations and compliance,” he says. “Reducing the cost of those functions brings values to those organizations. Heavy manual processes have high monetary and opportunity cost and automation (among other improvements) can really have a cross-organizational benefit.”