From IT to CISO: Explaining Cybersecurity to Your C-Suite

Cybersecurity has increasingly become a shared responsibility of all members of an organization, including the C-Suite, as new legislation and major data breaches have greatly influenced a company’s bottom line, overall reputation and investment outlook. With today’s threat landscape, it’s significantly more important for CISOs to properly explain security and risk-avoidance projects to the broader executive team.

Why the C-Suite should care about cybersecurity

While CISOs control the technical aspects of their cybersecurity programs, they no longer should assume total responsibility of all cybersecurity initiatives. Top C-Suite decision makers, such as CEOs and CFOs, need to be informed in an accurate and timely manner to take more active roles in mitigating risk.

Legislation, such as the Sarbanes-Oxley (SOX) Act, can hold top executives accountable if their publicly traded company’s financial reports fail to meet certain standards. A $5-million fine or a 20-year imprisonment (which can be meted to guilty CEOs and CFOs by SOX Section 906) is not to be taken lightly.

Although not all legal penalties are directed explicitly at C-Suites, the potential impact of these penalties to businesses is enough to demand attention from other members of your executive team. Hefty fines, like €20 million, 4% of the company’s global annual turnover of the previous financial year (GDPR), or $50,000 per violation (HIPAA), can certainly impact the bottom line – making it clear CFOs and leaders in the legal department should be involved in cybersecurity decisions as well.

Legal penalties aren’t the only consequences executives may face. High profile data breaches can quickly damage a carefully constructed career. Just ask both the ex-CEO and ex-CIO of Target, the ex-CEO of Equifax, the ex-Co-Chairman of Sony Pictures, and other executives who were forced to resign after their respective companies were subjected to highly publicized data breaches.

What if you’re the one tasked with spearheading your company’s information security program, but have yet to garner support from senior management?

Explaining cybersecurity to C-Suite executives

Business leaders in advanced economies are already seeing cyberattacks as one of the top three global risks to their organizations. It’s great if your executives already share that perception. But what if they don’t? If you’re the CISO or Head of IT Security, the burden is on you to clearly explain the value of cybersecurity to your C-level executives. It’s not an easy task – especially if you’re already having trouble when obtaining approval for cybersecurity and/or risk mitigation projects.

Where are the obstacles coming from? One common hurdle stems from the inherently conflicting priorities of CISOs and CIOs. The mission of a CIO is to speed the business and find efficiencies using information technology. CISOs are charged with securing the information within those environments. Unfortunately, this typically conflicts with the CIO’s mission, and tends to slow processes down to heighten security. The problem is, in many organizations, CISOs report to CIOs. If they can’t get support at that level, it becomes even more difficult for CISOs to garner support from other leaders. However, both CISOs and CIOs need to understand that they’re really in the same fight. An unmitigated and/or undetected cyberattack can easily throw a wrench into a CIO’s core initiatives.

Even in organizational structures where the CISO doesn’t report to the CIO (like if they both report to the CFO), CFOs tend to favor the business-enabling projects of the CIO more than the (wrongly perceived) business-inhibiting cybersecurity initiatives of the CISO. Today’s CISOs struggle with being business-minded, but the value of cybersecurity must be communicated at that level when discussing cybersecurity challenges with a CFO. It’s my opinion, that cybersecurity programs based in business risk can be highly successful in closing this gap.

Another hindrance is that some CISOs have a very limited grasp of business economics. Many CISOs come from purely technical backgrounds. When they try to influence across an organization, they usually struggle to articulate security issues in terms executives can readily digest. From what I’ve seen, most successful CISOs have experience in truly mitigating attacks AND either have an MBA or come from a strong business background. These are the folks who can easily map threats and vulnerabilities to business risks.

CISOs or whoever is charged to lead your cybersecurity program must wear two hats – those of a security professional and a business professional. It’s imperative that they:

  • Understand business risk to an enterprise
  • Intimately understand the difference between a security risk and a business risk.
  • Understand how budgets work
  • Understand spend across an organization

Only by understanding the business side can CISOs hope to make reasonable, realistic, and compelling cybersecurity proposals that C-Suite executives understand and support.

The impact of C-Suite decisions on overall security culture

Ideally, every person in the organization is responsible for security. This typically starts from the Board of Directors down. That’s because, even if you only have one person who fails to take security seriously, that person can become a vulnerability that attackers exploit. Cultivating a security mindset in every member of the organization builds a robust and successful security culture. As in all corporate environments, the biggest ripples originate from the top and then propagate throughout the organization.

Business leaders are in the best position to influence corporate culture. First, their view from the top allows them to see relative logistical deficiencies/surpluses among all business units. They’ll know where to tap the needed talent and other resources if one business unit requires them.

Secondly, they have the authority to influence other members of an organization to work together towards a common goal, even if those members normally don’t have the same objectives or perhaps even have opposing priorities. This advantage can come in handy in situations where security projects require a great deal of coordination and collaboration amongst different business units.

Third, C-Suites have a firm grasp of business objectives. Thus, when they start supporting security projects, they can see to it that those projects align with business objectives. Contrary to public perception, the problems in cybersecurity are not just technical issues nor are their solutions purely technical in nature. People and processes play very significant roles and need to be closely tied together. Let me give you an example:

Although ransomware is a piece of malicious software, its delivery method and best countermeasure rely heavily on human interaction.

Not counting Wannacry, Petya/NotPetya, and other types of ransomware that automatically propagate using worm-like characteristics, most ransomware are actually delivered through phishing, a social engineering technique that takes advantage of end users who download email attachments without checking for threats.

Because most initial ransomware infections are caused by end user downloads, they can be prevented by proper information dissemination, seminars/trainings/workshops, and enforcement of security policies. This creates a “culture of security.” These activities require support from top executives to ensure complete participation and cooperation across all departments.

As Henry Ford once said, “Coming together is a beginning. Keeping together is progress. Working together is success.” The success of your cybersecurity program hinges heavily in the cooperation of all members of your organization – especially your C-Suite.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals