‘Chief’ in name only adds to the confusion: Like other executive-sounding titles, such as chief marketing officer, chief revenue officer, chief technology officer, and others, CISOs sound like they should be officers of the company with broad decision-making capabilities, but in most cases, they lack any actual power.”There are some CISOs that sort of rise to what it means to be an officer of the company, and they’re then treated as such, regardless of their reporting relationships,” Khawaja says.”I’ve seen CISOs that are four levels down from the CEO, but they are seen as a first-class member of the executive suite,” he adds. “I have seen CISOs who are a direct report of the CEO, and they have almost no influence and no authority. So, it has very little to do with the actual reporting relationship and the organizational structure. It has much more to do with the ethos and the behavior of the individual themselves and the quality of the relationships that they make with the CEO, with the board, and with their peers.”Ellis says, “There’s been this explosion of C-level titles that are not C-level roles in companies. The CSO [chief security officer] was the first of them. I think the CIO and the CMO were the last new ones to become part of the C-suite, and almost everybody since then is not part of the C-suite. They’re always a step down.”But Ellis thinks this lesser role that CISOs occupy will not last for long, given how vital cybersecurity is. “I think we’re more likely to see an evolution of the CISO back into a CIO- or CTO-type role. If you look at what a CIO does today outside of the Fortune 500, they’re a procurement officer for commodity hardware and SaaS services. That’s not a C-level position. But that combined with the CISO is.”Headway’s Chiang believes that even if CISOs don’t merge back into CIOs, they’re likely to attain more power. “We are moving to more standards and norms around what a CISO does, which in some ways is a natural follow up to what CISOs now need to ensure, for example, being a named officer by the board and therefore having the same level of liability coverage as a CFO, for example, in some of these risk decisions.”
How CISOs can communicate what they do: No matter where the organization is on the cybersecurity maturity curve, or how little executive power a CISO truly has, experts say there are ways to communicate the CISO’s duties so that internal or external stakeholders have a clearer idea of what they do.Very few standard documents exist that can help with this task. Cybersecurity board advisor Rafeeq Rehman produces each year a “CISO MindMap,” which is a visual achievement that crystallizes what CISOs do. But it is intricate, displaying hundreds of duties that any given CISO might undertake.”I wouldn’t share that mind map with my peers,” Chiang says. “It would overwhelm them.”Ellis has produced The Idealized CISO Job Description, which is all-encompassing in describing the complex range of CISO job responsibilities. But, few CISOs have ever carried this level of duties. Ellis says he knows of only 100 or so CISOs who have met the idealized criteria, and “they’re mostly all in the CISO Hall of Fame at this point,” he says.Instead of sharing these complex and specialized documents, Chiang says CISOs should “look for ways to tell the story from our shared customer’s perspective,” to paint a picture of what they do in terms of providing access or reducing risk, for example. “That moves us away from maybe thinking the CISO is a decision-maker, which they are almost never. They’re advisors and helpers and enablers, and show up when things go wrong.””The first thing a CISO has to do is learn to speak the language of the person to whom they’re speaking and to determine what they are measured on, what is best for them.” Dr. Z says. “Determine what’s important to this person or this department or this office, and how you can show your relevance to that.”Ellis thinks it’s essential for CISOs to show their work to customers in person. “You want everything to be in person,” he says. “You want to have conversations with people, and they should see the work that you do. You should never tell them, ‘We did this thing.’ They should see what you do and really what you help other people to do.”Moreover, in communicating throughout the organization, CISOs’ messages will carry greater weight and be more memorable if they give credit to others. “Mention what somebody else in the company did that protected the company,” Ellis says. “This engineering team just built us an amazing multifactor authentication system that is seamless. These are the people whom you should be thanking. Everybody will want to work with you, the only one who’s thanking other people.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4026872/the-cisos-challenge-getting-colleagues-to-understand-what-you-do.html
