CISO Tips: Speaking the language of business The six phrases CISOs can use to connect with business executives 2017 Cybereason. All rights reserved. 1
A cost center that doesn t align with the rest of the organization. Is run by people who don t understand the business objectives. The part of organization that fails to deliver return on investment. The department of no. If you re a CISO or an information security leader, these are some of the phrases that you may have heard used to describe your department (or possibly you). Whether or not these depictions are accurate is debatable. But what s not open to discussion is that the role of information security executives has evolved. CISOs may now find themselves talking to investors about how an attack impacted quarterly earnings in addition to more traditional duties like managing a SOC. Fortunately, CISOs aren t the only leaders with a technology background who had to demonstrate their business acumen to peers. CIOs had to make this same transition. When these technology leaders began to appear in organizations about 15 years ago, they also had to align with the business objectives. CISOs now find themselves in the same role. They re in the boardroom with peers who don't understand how security impacts them. To connect with business-minded colleagues, CISOs need to learn and speak the language of business, which centers around these six concepts: 1. Risk 2. Revenue 3. Employee efficiency 4. Strategic value 5. Cost 6. Customer satisfaction 2017 Cybereason. All rights reserved. 2
Risk Addressing risk is critical for CISOs when talking to other c-levels and the board. Risk mitigation is the link between a company s security and business units. CEOs, COOs and CFOs want to reduce it while CISOs are the ones who can accomplish this task. CISOs should try and avoid talking about super technical details. The CEO and your board don t need to know about server configurations or the nuances of the organization s patch management strategy. But, they do need to know if the company can muster enough servers to prevent a DDoS attack and has patched the Windows vulnerability that lets attackers use the EternalBlue exploit. Revenue Simply put, this is how information security can help an organization make money. While this concept may seem obvious, InfoSec departments are often perceived as the department of no. Even worse, security personnel, and the CISO in particular, are viewed as the people responsible for stifling innovation. And innovation can give a company an edge over their competitors - hurt innovation and you risk hurting revenue. To avoid being seen as the department of no, CISOs need to talk to their colleagues about what they re working on. The sooner CISOs learn about upcoming projects, the sooner they can suggest ways to incorporate security from the start. Not only does this make a product more secure, but it also allows the development process to be in tandem with the addition of security measures. Employee efficiency Security is often seen as impeding employee efficiency. Countless employees can share anecdotes of how a security application slowed down or crashed their machine. And there s the belief that security departments stifle innovation, which also ties into employee efficiency. The situation sometimes plays out like this: Developers spend months adding features to a product. Eventually, the security department reviews this work and determines that some of the features could jeopardize a customer s security and need to be dropped. The developers, who feel that they ve wasted their time, now spend even more time reworking the features to meet the information security requirements. 2017 Cybereason. All rights reserved. 3
Strategic value Information security has to show the value that it brings an organization. Security programs can t be carried just for the sake of security. They have to be conducted in the context of the organization s overall business objectives and help the company meet those goals. The security department can t block innovation. Cost When buying a security tool, hiring for the security team or making any other security-related expenditure, show that spending this money is less of a financial risk than not addressing the vulnerability. This is especially true when discussing budgets with CFOs, who relate everything to finance, money and return on investment. For an even more detailed view of how a business work, security executives should befriend the CFO and ask to look at the profit and loss statement. Customer satisfaction Product development is the link between information security and happy customers. Product teams are the ones responsible for creating the services and products customers use while security teams ensure that those products and services are as secure as possible. The challenge for security teams is to keep the product secure without impeding its performance and negatively affecting the user experience. Achieving this requires security to be involved from a product s design from the start. When information security partners with product, incorporating security is much easier than trying to tack it on once the item is being sold, leading to protected and content users. 2017 Cybereason. All rights reserved. 4
Business leaders care about how security fits into and improves each of these areas. Avoid talking about technical topics that only people with computer science backgrounds would understand. The average executive isn t going to understand cross-site scripting or machine learning algorithms. But they do want to sell a product that protects customer data, reduce the risks the organization faces and increase yearly revenue. Don t abandon your technical roots Becoming business savvy doesn t mean technical knowledge and maintaining relationships with the people who carry out IT security are less important. CISOs must master being involved in both of those realms. Security executives need cred with the analysts who attend Black Hat. But they also need to earn a seat in the boardroom by demonstrating that they re the source of understanding risk from an IT infrastructure perspective. There is hope for the CISO Technology is now seen as a critical to providing an organization with a competitive advantage while CIOs are expected to be included in executive discussions around corporate strategy. The same fate awaits CISOs if they frame information security discussions around how their plans benefit the organization and speak the language of business. About Cybereason Cybereason is the leading provider of behavioral-based enterprise attack protection, including endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services. The Cybereason solution reduces security risk, provides complete visibility, and increases analyst efficiency and effectiveness. Cybereason partners with enterprises to gain the upper hand over adversaries. Cybereason is privately held and headquartered in Boston, with offices in London, Tel Aviv, and Tokyo. 2017 Cybereason. All rights reserved. 5