The debate over whether the CISO should, by the very nature of the position, be considered a member of the corporate executive team (known colloquially as the C-suite) has been raging for some time and seems likely to continue for a good while to come. I believe the CISO should not only have a seat among the uppermost echelon at the big table but also be recognized as a foundational element in the success of any business.

I have often opined, along with many of my peers, that it doesn't really matter where the CISO sits if the responsibility and accountability is clearly charted and senior-most management is engaged and supportive. But that is a rare situation -- a CISO Nirvana, if you will, as many don't feel seen by the C-suite or the board.

In the US, it's clear that there may be a shift underway toward recognizing the key business value of cybersecurity leaders -- the US Securities and Exchange Commission (SEC) has ramped up its support for cybersecurity as a top business concern and expressed its opinion that the CISO should be seen as an integral part of the enterprise's decision-making team. So how does the CISO go about gaining recognition for this engagement with their co-executives?

The CISO should be unafraid to speak truth to power

We've all heard the adage "speak truth to power" and few will argue that the CISO's role requires the fortitude to speak truth, no matter how ugly it may be. Often, the result from your executive colleagues may seem to embrace the Japanese proverb "The nail that sticks out gets hammered down," and this is a reality. Yet, I believe when familiarity and trust are present, the hammer stays in the toolbox and the truth being shared is recognized for its utmost importance.

Part of speaking the truth is the need to prepare one's co-executives for the "when" not the "if" of cybersecurity incidents, Armis CEO Curtis Simpson tells CSO. His philosophy of "keeping incidents at the scale of being the least disruptive" has great merit. "Major incidents are the events which are disruptive at scale and cause churn within the infosec teams," he says. "It is important that co-executives understand the playbook, discuss the results of tabletop exercises and the gaps identified and mitigation plans. The key is transparency."

Positioning cybersecurity as a strategic part of the business

The SEC push for boards to have an individual director focused on cybersecurity has great merit and the rationale is founded on the truth of the situation, according to Jake Seid, a partner at Ballistic Ventures. "Few boards are equipped to deal with CISO challenges," Seid says. "The assumption that CISOs are not siloed and are integral to the business may not be the reality, yet it should be. They are a strategic part of a business's success. For those doing business with government, the CISO's role may determine business outcomes, given the certifications and attestations required," which is a clear rationale for not being siloed.