As I noted in a recent SecurityWeek column, an effective cybersecurity leader speaks a new language--one that is a blend of technology and business. Gone are the days when a CISO could just be an expert in security, with his or her organization effectively siloed from the rest of the C-suite. The very best CISOs, I've observed, spend time not only crafting an effective cybersecurity strategy but also driving home that strategy with these three groups:
- Fellow C-Suite executives – According to IBM's 2013 Chief Information Security Officer survey, each C-suite executive, from the CEO to the CFO and CIO, has a different security worry ranging from concerns about loss of brand or customer trust to financial losses due to breaches. The CISO needs to be able to communicate how they are addressing these concerns in order to garner board level support and appropriate security investment.
- Security practitioners - These are team members who may be resistant to disrupting how they have traditionally designed security in their network. It falls to the CISO to define the IT initiatives that are critical to the business so that the appropriate security options from the practitioner can be evaluated. The CISO needs to consider both sides of the equation -- risk and business return on that risk so that the right security decision can be made. Ultimately, when that decision is made, security practitioners can create security policies that align with these objectives.
- End users - Many cybersecurity leaders communicate with company end users, but it is imperative they follow-through and monitor employee effectiveness, with frequent updates. All employees should understand the appropriate use of business technology.
Much of the CISO role is helping the business understand and balance risks associated with a particular IT initiative, from compliance and risk mitigation to end-user impact – all in a way that enables, not hinders the business. The good news is the technology is there to support your needs. Using our next-generation security policies, you can implement policies that enable the business, simplify network operations, and provide clear visibility into applications, users and content.