CISOs to engage the board for security decisions

by CXOtoday News Desk    Jun 17, 2013

board meeting

The information security landscape is becoming so complex that threats can occur anytime and enterprises should brace them accordingly. This obviously brings to light the role of Chief Information Security Officers (CISO) which is becoming far more critical in making security decisions. However, experts believe that information security can no longer be a simple technology concern, but a key business decision that should involve the entire boardroom and it is the CISO who should play a part in engaging other CXOs to leverage the right security strategies in order to secure enterprise network and critical data.

Lawrence Orans, Research Director, Gartner believes that the rise in mobile technologies, cloud computing and social media will bring in radical changes in the way enterprises manage IT security in the coming years. As a result of this, tackling the rising security concern can not only remain the CISO’s problem, but involves every key decision makers in the enterprise who should be involved in leveraging more advanced security solutions and strategies to safeguard their organizations for the future. Moreover, with employees, customers, partners and other stakeholders getting affected in a security breach, security decisions should get a key place in the boardroom.

Strong business acumen

Getting the entire C-suite involved in a business decision requires much of business acumen, according to experts. And this is the reason CISOs, who are expected be smart and business savvy, can get an edge as against those security officers who prefer to remain in the back stage and fixing antivirus for systems.

Andrew Rose, senior security analyst at Forrester explains that business-savvy CISOs can always influence the board because he can convey the right message to the C-suites and convince them how they can mitigate the existing and upcoming challenges in the cyberspace. “In order words, the CISO should communicate the value of IT security to the organization and that how it can be aligned with business objectives,” he says.

Some believe that CISO who reports to the CFO may face the challenges of influencing the board. Orans however points out that in such a situation, he needs to coordinate with the CFO, and persuade him to raise the issues with the board in subsequent meetings. “A CISO’s contribution will be eventually realized if he has the right business acumen and accordingly communicate with other C-suites.

Agrees Sanjeev Kumar, Group CIOand President Business Excellence at Adhunik group of Industries who believes that when CIOs and CISOs engage their board members successfully and communicate effectively, half the work is done. “CISOs need to drive engagement with the board and more importantly, need to translate the technicalities of IT security and information risk into easily simpler solutions,” he says.

Strategies to engage the board

The Information Security Forum (ISF) in a recent report, recommends some guidelines for CISOs to involve the C-suites. The steps include define, prepare, engage and review.

At the Define stage, CISOs must understand how information security is viewed by the rest of the organization and he can help the organization as a business enabler and prepare them accordingly. Next comes the Prepare stage, where he must be clear about expressing himself what he wants to achieve through the organization and its outcome. The third stage is engage, where the CISO not only should try to involve all the board members but find out how to collaborate with vendors, solution providers, agencies and governments to create a security ecosystem. Communication is essential in this step.

ISF sees Review as a very important step for CISOs in this process through feedback forms and ensure that his objectives are met – recording the minutes of the meeting and working on the security strategy pitfalls based on the feedback.

Rose believes that with security becoming more pervasive, customer expectations increasing and new business transactions rapidly taking off, the CISO’s role will continue to focus more on business, delivery and engagement. Moreover, successful companies will embed their security strategy with business strategy to secure their enterprises in a proactive manner.