Every leadership role is complex and involves strategy, influence, responsibility, and accountability in different forms. What make’s the CISO’s role different is that he or she has to understand how every part of the business performs its function in order to partner more effectively, and be the “business enablers” that we all strive to be. The need for CISO’s to be so cross-functional is very similar to how a Liberal Arts education explores alternate avenues outside of a given area of expertise to ask interesting questions. I still remember my amazement when my homework assignments for my Linguistics class were the same assignments for my Computer Algorithms class, but from different books. The interdisciplinary nature of the CISO’s role and continuous learning is what I find so compelling.
Executives should be leveraging the CISO’s unique perspective and exposure to the organization to help drive the business to new heights.
Most executives and their teams will focus on their area of expertise and apply it across the business to ensure optimal operations of the organization. The Finance team will work across the business managing treasury risk, operating costs, investments, and P&Ls which are all core to financial performance. The Human Resources team will work across the business on hiring, performance reviews, compensation, training, PIPs, etc, which are all core Human Resources functions.
Security teams must work with HR teams on insider risk, travel considerations, life safety, etc; CFO teams on financial risk, financial tools, SEC reporting, etc; CTO teams on development methodologies, product development, secure design, vulnerability management, etc; Legal teams on privacy controls, regulatory issues, incident management, etc; CIO teams on enterprise productivity tools, mobile devices, infrastructure, etc; Chief Revenue Officer teams on sales stages and pipelines, customer relations, collateral; and the list goes on and on. A CISO and his/her security team has to intimately understand how each of these teams does its work in order to measure risk, facilitate informed decision making by stakeholders, doing everything possible to secure the organizations, and prepare for resiliency and recovery. The breadth and depth of exposure that a CISO has to the business is part of what makes the role so challenging and interesting while also one of constant learning.
Taken another way, and this is to be explored in another post, CISOs need to understand every aspect of the business not only to help manage risk but also to understand how to align and enable the business. Enabling the business is not only about getting out of the business’ way or creating smooth paths, but it’s about helping the business to scale security in the right ways when needed depending on which part of the business needs scaling. It is also about helping to uncover ways of managing risk or perhaps reaching a higher plateau by exposing opportunities that may not have been perceived by the stakeholder.