By Jon Clark
March 17, 2023
Growing up, Christmas dinner at grandma’s house while exciting was always slightly unnerving because of the dreaded “kid’s table.” Being the youngest of the cousins, my stay was long at that table, spanning many years. As time passed and the family grew, I eventually made my way to the adults’ table, and I knew the most important thing to me for my debut was being ready to talk about what they wanted to talk about, not any “kid stuff.” It was critical to me that they all knew I finally belonged at the adult table.
As you can tell, my mind recently wandered back to years gone by as I was thinking about the many transitions being faced these days for many people: new roles, new economic realities, expanded responsibilities with fewer staff – possibly situations you are facing currently. Perhaps you’ve been called on to fill new responsibilities, you are a freshly minted CISO, or you are just pondering adding one to your company. That led me to want to share some insights on what it takes to provide effective CISO performance and contributions to an enterprise. Insights on earning your seat at the adult table.
Smooth transitions between roles and responsibilities can be hard to achieve. With the relatively recent advent of C-suite roles having specific “Chief” titles in the business world (beginning during the early 2000s), there has been an expansion over the intervening years in the number of roles. With what started as a core of three or four executives receiving the “Chief” title, many companies have now expanded the ranks of the C-suite into well over a dozen different titles. One of the more recent titles to see a rise to prominence is that of Chief Information Security Officer, or CISO. As a relative newcomer at the executive table, in many companies, the CISO role is often still viewed as a junior role, one that no one is quite sure how to take. It can be seen as a dark, shadowy figure somehow related to “hacking”, and is frequently staffed with someone that has risen through the technical ranks based on skill and experience, yet might not have the same business acumen or training of their peers. Often not even considered a full executive member, on par with others around the (adults’) table, the CISO role can be tough to navigate successfully.
With cybersecurity and things like ransomware being such hot topics, it is easy for other executives to become focused on individual concerns deep in the tactical weeds of information security. The responsibility of the CISO is to take the conversation away from those minor topics, back to more strategic concerns. It is of high priority to the CISO to help their peers understand the broader picture of cybersecurity and guide the conversation to a higher level, one worthy of inclusion in the C-suite. This is when the CISO is best able to contribute to the success of the organization as a whole.
While all the work of a CISO is important and contributes to the success of the organization, one of the most critical roles the CISO can play is educating the executive team regarding cybersecurity strategy. Moving from the tactical to the strategic is difficult in any discipline, and even more so in information security, due to the salacious nature of aspects of cybersecurity that seem to always make the headlines. We tend to overemphasize the likelihood of occurrences that we hear about through confirmation bias. We hear about ransomware a lot, so we tend to think ransomware is the most likely threat to hit us. There are many threats to an enterprise, although some are less conspicuous than others. Being less well known doesn’t make them any less dangerous. You can’t only focus your defenses on high-profile threats. A mature program must be prepared to mitigate risks whether or not they are in the headlines, and that’s where the CISO proves they’ve outgrown the kids’ table.
Having appropriately reframed the conversation now with focus on what really matters—the success of the business rather than the success of the security program or any individual concerns therein—the CISO’s seat at the adults’ table is fully justified. Finally at the leadership table, the CISO should be prepared to discuss leadership topics, and merely focusing on security or compliance with no consideration given to the overall business will end up relegating the CISO shortly back to the kids’ table if one isn’t careful. Integrating security into the business and the processes whereby the business attains its goals is where the CISO can bring the greatest impact. Managing information security risk for the entire organization and ensuring that appropriate treatment is applied to that risk in accordance with the risk appetite of management is critical to the success of the company.
Understanding how to serve the needs and goals of the enterprise by improving processes and providing consistent guidance by means of appropriate governance, risk, and compliance management goes a long way toward success for both the CISO, and the enterprise.
At this point, you may be wondering if you need to move your CISO to sit with the grown-ups—or indeed if you need to invite one to the event in the first place. If so, Parameter Security stands ready to assist you with your transition. Whether you aren’t quite ready yet to move to a full time CISO and you only need fractional services, or you have a specific governance or risk project you are seeking assistance with, or a new CISO that is overwhelmed with all the newly created responsibilities that have been placed on them with the creation of the position, we have what it takes to assist and support you throughout the journey.
If you would like to discuss opportunities further, or perhaps just share your own story about Christmas dinners past, connect with me and let’s start the conversation.
Jon has been providing guidance in information security and technology risk for the last 24 years. His background includes serving as head of the information security program for a $2B financial institution, SVP of enterprise risk, and as CIO.
Once a university adjust professor, Jon has the heart of a teacher and ensures his clients understand the ‘what’ and ‘why’ of solutions as he guides them through the establishment and maintenance of their information security programs.
Jon earned a Masters’ degree in Computer Information Resource Management and has served in the United States Marine Corps. In his free time, Jon enjoys time with his wife and three ever-growing children, playing guitar and bass, and reading non-fiction. A favorite quote of his is from Charlie “Tremendous” Jones: “You are the same today as you’ll be in five years expect two things: the books you read and the people you meet.”