Over the past 18 months, there has been a bit of a sea change in the chief information security officer (CISO) role. Fundamentally, the CISO is the individual who is responsible for the protection of an entity\u2019s information.\n\nThe US Securities and Exchange Commission (SEC) has issued a proposed rule change on cybersecurity risk management, strategy, governance, and incident response disclosure by public companies that requires publicly traded companies to provide evidence of the board\u2019s oversight of cybersecurity risk. Couple this with the former CSO of Uber being found guilty on charges of \u201cobstruction of the proceedings of the Federal Trade Commission\u201d and it is clear the hand at the helm must be able to navigate all types of seas in their entity\u2019s political milieu. In this regard, the CISO needs to acquire political capital.\n\nCISOs should not be intimidated by business politics\n\nPerspectives have been previously shared on how the CISO must have a seat at the leadership table while others opine that is not required. \u201cPolitics exist, but life would be better if it didn\u2019t,\u201d Rapid7 CSO Jaya Baloo tells CSO. She believes that CISOs should not be intimidated by the politics of a business but should rather \u201chold it in wonder and strive to understand.\u201d The reality, she noted, is that in the realm of rapid response, engaging in politics is counterproductive.\n\nShe acknowledges that she has a seat at the table as the CSO and as part of her company\u2019s audit committee. That said, to acquire resources, including funding from those who hold the purse strings, one must be able to talk in understandable terms and clearly \u201cdemonstrate value.\u201d To that end, she shared her Potential Harm of Security Incident Calculator, which she uses to document and quantify the value of incidents prevented. Baloo says she uses this calculator regularly: \u201cEvery time our SOC prevents an incident, it takes one to two minutes to put a monetary value on the incident using the calculator.\u201d\n\nThe calculator measures six categories:\n\nBeware the \u2018I need to report to the CEO\u2019 instinct\n\nWhere a security leader sits in a company\u2019s pecking order or to whom they report \u201cis fundamentally irrelevant, because every organization sees things differently,\u201d according to John Stewart, president of Talons Ventures and a former chief security and trust officer at Cisco. \u201cThe relevant piece is access, support, authorities, and accountability,\u201d Stewart tells CSO.\n\nStewart has cautioned CISOs many times to be careful of the \u201cI need to report to the CEO to be effective\u201d instinct. \u201cThat suggests either the business, the culture, or the individual are ineffective.\u201d A more effective approach should be, according to Stewart: \u201cI need access to the CEO with their support and a clear understanding of my responsibilities and authorities that is backed up with action.\u201d\n\nThis is pretty much in line with the thinking of Malcolm Harkins, former CISO at Intel and other entities, who tells CSO that it is \u201cunimportant\u201d to whom an individual CISO reports. \u201cThe CISO is the one who should be responsible and accountable for mitigating risk,\u201d he says. \u201cTo demand a seat at the table is not how one goes about business \u2014 earn that spot at the table, don\u2019t demand it.\u201d\n\nHarkins says many CISOs don\u2019t view risk as their responsibility, and that is not a productive line of thinking. \u201cBusiness may own the risk decision, but the entire company owns the challenge of protecting and mitigating the identified risks which accompany a business decision. It is a dynamic state and not static.\u201d\n\nA CISO\u2019s integrity matters most of all\n\nThere is no getting around the fact the position of the CISO comes with pressure, as articulated in a 2022 article by Harkins, \u201cIntegrity Matters,\u201d in which he highlighted that cybersecurity professionals were considering quitting the industry due to stress. In addition, he noted in the same piece a survey he conducted in which 76% of technology leaders responded that they \u201chave felt some sort of pressure, either self-imposed or initiated by others, to under-report the reality of a security risk.\u201d\n\nHarkins hits the nail on the head \u2014 integrity does matter and concluded his essay with: \u201cWe can eliminate most of the material risk exposure from cyber if we understand it, align on it, and hold ourselves accountable to managing it properly.\u201d\n\nWith the sea changes occurring under our collective keel, CISOs must be prepared to enter the discussion and articulate the risk and mitigation strategies in business. They cannot lean on the complexity of their teams\u2019 efforts to obfuscate; they must be clear precise and, above all, speak truth to power.