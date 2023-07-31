The debate over whether the CISO should, by the very nature of the position, be considered a member of the corporate executive team (known colloquially as the C-suite) has been raging for some time and seems likely to continue for a good while to come. I believe the CISO should not only have a seat among the uppermost echelon at the big table but also be recognized as a foundational element in the success of any business.\n\nI have often opined, along with many of my peers, that it doesn\u2019t really matter where the CISO sits if the responsibility and accountability is clearly charted and senior-most management is engaged and supportive. But that is a rare situation \u2014 a CISO Nirvana, if you will, as many don\u2019t feel seen by the C-suite or the board.\n\nIn the US, it\u2019s clear that there may be a shift underway toward recognizing the key business value of cybersecurity leaders \u2014 the US Securities and Exchange Commission (SEC) has ramped up its support for cybersecurity as a top business concern and expressed its opinion that the CISO should be seen as an integral part of the enterprise\u2019s decision-making team. So how does the CISO go about gaining recognition for this engagement with their co-executives?\n\nThe CISO should be unafraid to speak truth to power\n\nWe\u2019ve all heard the adage \u201cspeak truth to power\u201d and few will argue that the CISO\u2019s role requires the fortitude to speak truth, no matter how ugly it may be. Often, the result from your executive colleagues may seem to embrace the Japanese proverb \u201cThe nail that sticks out gets hammered down,\u201d and this is a reality. Yet, I believe when familiarity and trust are present, the hammer stays in the toolbox and the truth being shared is recognized for its utmost importance.\n\nPart of speaking the truth is the need to prepare one\u2019s co-executives for the \u201cwhen\u201d not the \u201cif\u201d of cybersecurity incidents, Armis CEO Curtis Simpson tells CSO. His philosophy of \u201ckeeping incidents at the scale of being the least disruptive\u201d has great merit. \u201cMajor incidents are the events which are disruptive at scale and cause churn within the infosec teams,\u201d he says. \u201cIt is important that co-executives understand the playbook, discuss the results of tabletop exercises and the gaps identified and mitigation plans. The key is transparency.\u201d\n\nPositioning cybersecurity as a strategic part of the business\n\nThe SEC push for boards to have an individual director focused on cybersecurity has great merit and the rationale is founded on the truth of the situation, according to Jake Seid, a partner at Ballistic Ventures. \u201cFew boards are equipped to deal with CISO challenges,\u201d Seid says. \u201cThe assumption that CISOs are not siloed and are integral to the business may not be the reality, yet it should be. They are a strategic part of a business\u2019s success. For those doing business with government, the CISO\u2019s role may determine business outcomes, given the certifications and attestations required,\u201d which is a clear rationale for not being siloed.\n\nHow the CISO speaks to co-executives is equally important, Snehai Antani, CEO of Horizon3, tells CSO. His advice: \u201cThe CISO needs to shift away from discussions about technologies and focus on outcomes, speak more to business continuity, and risks and risk mitigation,\u201d all focused topics which are strategic to business success.\n\nTeam-building retreats can help raise a CISO\u2019s profile\n\nRetreats can help raise a CISO\u2019s profile \u2014 no, not the \u201cretreat from the fray\u201d type of retreat, but the engagement type of retreat. There is an entire industry built around team building and few will argue that a group of individuals who have a shared experience don\u2019t get to know one another better.\n\nThis is an opportunity to build trust with one another, according to Simpson, who expressed his positive experiences in \u201cexecutive retreats where they give Myers Briggs [tests] and help explain how to communicate with each other. It is a great asset. There is no substitute for face time with your fellow executives. It not only builds familiarity, it also builds trust.\u201d Not only should a CISO push for an invitation to these kinds of events, but they should also encourage any opportunity to extend the scope of their cyber evangelism.\n\nCISOs need to constantly reiterate their value to a company\n\nIn a similar vein, Manny Rivelo, CEO of Forcepoint, noted that \u201cCISOs need to bring their value forward as their teams heighten productivity, increase ROI, and ensure a higher level of compliance for the company\u2019s sectors.\u201d\n\nCISOs shoulder tremendous responsibility and as such, should be held accountable for the responsibilities they shoulder. That said, they also must be resourced adequately. Seid observed that the CISO \u201cneeds to be held to the same standards as the CFO and should engage the C-Suite in a similar manner.\u201d\n\nAnd the kicker is, as recent experience has shown, that CISOs who don\u2019t feel recognized or valued or are stressed and headed for burnout won\u2019t stick around. For them, it\u2019s like the line from the Kenny Rogers song: \u201cYou gotta know when to hold 'em, know when to fold 'em.\u201d That\u2019s no good for the company and no good for business in general \u2014 something boards should consider when they\u2019re reluctant to bring the CISO into the executive fold.\n\nFreezing out the CISO can ultimately leave a company vulnerable\n\nThe reality is that every role has a start date and end date when an individual moves on to the next opportunity or challenge. According to Simpson, the CISO should be astute enough to \u201cknow when it is time to go\u201d and particularly \u201cwhen the business starts playing the blame game.\u201d\n\nCorporate boards should pay heed to this: it\u2019s in no one\u2019s best interest to give the CISO the cold shoulder and have to start searching for a new one in a very dry and difficult hiring environment. Not to mention the perilous situation in which this leaves a company when there\u2019s no one driving the cybersecurity bus at a time when vulnerabilities and incidents are ever on the rise. When the CISO has a seat at the big table, everybody wins.