Security is a foreign language to many people, and most security managers and executives rose up through the ranks on the security side of things, rather than the business side. That often poses a problem because it means that the CISO doesn’t fully understand the business or its goals, and the board and other company executives don’t speak security.
It’s important for the CISO to be actively engaged with the board, and for the board to help the CISO see the bigger picture for the business because the two need each other. The CISO can’t effectively secure and protect the business without knowing what the goals are, and the board can’t effectively grow and build the business without knowing the security risks and how to mitigate or avoid them.
I talked with seven security vendor CEOs about the importance of the CISO role and why the CISO needs to be an active part of boardroom discussions:
Cybersecurity was a primary focus by President Obama in this week’s State of the Union address. In the wake of the Sony hack, and the seemingly endless stream of massive data breaches, though, it seems that security is finally getting more attention from both the government and the companies that under attack. That means the CISO needs to have a seat at the table, and help drive the security strategy.
Whether it’s a Chief Information Security Officer (CISO) or just a Chief Security Officer (CSO), the “Chief” part implied that the position is an upper-level executive role. It should be expected that the CISO be a part of boardroom discussions—both so that the board and the rest of the executive management team knows where things stand from a risk perspective, and so that the CISO is part of the conversation as it relates to business goals.
I spoke with CEOs from a number of security vendors to talk about the importance of the CISO role, and the need for security to augment and facilitate rather than obstruct and impede the natural flow of business. Ultimately, the CISO is the person responsible for ensuring the security of the company data, as well as the data of its customers.
“Participating in boardroom discussions prepares the CISO to provide vital information and insights that the board would not have otherwise. Most executives have business, operational, and financial acumen, but history shows us that boards and executives are not typically fluent in matters of information security risk,” explained Jeremiah Grossman, founder and CEO, WhiteHat Security. “By including a trusted advisor focused on information security, the board will have the resources to navigate regulatory requirements for Payment Card Industry Data Security Standards (PCI DSS) compliance, Federal Financial Institutions Examination Council (FFIEC) assessments, and/or potential Security Exchange Commission (SEC) disclosures.”
Check out the full story on Forbes: 7 CEOs Share Why CISOs Need To Be Involved In The Boardroom.