As the threat landscape evolves and digital environments become increasingly complex and interconnected, CISOs are shouldering a growing burden — one that isn’t always visible to business leaders. But today’s CISOs can’t afford to be siloed. When they identify potentially damaging risks, they need the resources to address them. That means building a relationship with the CEO based on shared goals, trust and effective communication.
Click the banner to learn how to quantify your cyber risk to justify strategic security investments.
CISOs’ Risk Tolerance Should Align With Their Employers’
A strong CEO/CISO relationship starts during the hiring process. It’s essential for the CISO to have a risk appetite that aligns with their employer’s. For example, a cautious, risk-averse CISO probably isn’t going to thrive in a startup environment with an executive team keen to make lots of high-risk strategic bets. On the other hand, a more freewheeling CISO with a high tolerance for risk probably shouldn’t seek work at a bank. When risk tolerance is misaligned, it creates friction between the CISO and other executives, which isn’t good for either party.
The stronger the partnership between the CISO and the CEO, the easier it will be for the organization to identify and mitigate risks in an efficient manner. My relationship with my current CEO, Matt Kunkel, exemplifies this: When I bring an issue to Matt, I can almost always predict how he’s going to respond before I say a word. We knew we were well aligned before I even came aboard, and today there are very few surprises between us. We have similar risk appetites, and we understand how to communicate in a way that foregrounds business impact.
Yet even when the CEO and the CISO are strongly aligned, poor communication can still pose a problem. The CISO position today is less of a technical role and more about strategic business enablement, but many CISOs have a difficult time framing complex risk and security challenges in business terms. Modern organizations collect data at a massive scale, operate in multicloud and hybrid environments, work with dozens of Software as a Service vendors and experiment with new AI capabilities, yet most CEOs can’t get into much technical detail on any of it. CISOs need to speak the language of business, explaining how mitigating a given risk will lead to positive business outcomes.
Click the banner below to learn more about optimizing your hybrid cloud environment.
How CISOs Can Avoid Being Too Negative
CISOs often focus primarily on the risks that need to be addressed, but this can be alienating. CEOs don’t always appreciate being read a list of problems. Instead, it can be helpful to talk about the risks the company doesn’t need to focus on.
For example, few organizations have the time or the resources to defend against nation-state-funded attacks. If you didn’t build your physical office deep into the side of a mountain to protect against physical attacks from other nations, why would you try to build cyber controls to that level? Knowing where to draw the line between acceptable and unacceptable risks allows CISOs to make clear that they are solving for the threats within the organization’s risk threshold.
It can also help keep business leaders engaged. When CISOs turn everything into a five-alarm fire, CEOs tune out. CISOs deal with risk all day long, but not every threat is critical from a business context. For example, if a risk isn’t likely to have a material impact on the company and its bottom line in the immediate future, it probably doesn’t require the CEO’s urgent attention. Leadership teams and CISOs need to work together to create a taxonomy of risk, establishing definitions for what constitutes a critical risk well in advance, so the CEO knows that when the CISO brings something to their attention, it represents a significant concern.
For their part, leadership teams can help by making sure CISOs have the resources at their disposal to effectively quantify risk in a business context. When everyone is speaking the same language, communication becomes much easier.
