The following vignette was the catalyst for multiple conversations between the authors about why it’s as important for today’s CISO to be a business leader as it is for them to be security professionals. While being a security professional is a fundamental expectation for getting hired, being a business professional is something the CISO must proactively learn if they want to be recognized as a member of the executive team.
One of the most embarrassing moments of my life occurred when a CISO colleague invited me to give a cyber-intelligence briefing to his Board of Directors. Following the presentation, my colleague gave his quarterly security update to the Board. After his presentation, he was getting a few questions and was honestly not doing too well. He began getting a little flustered because the questions were skewing specifically towards the business and out of his security comfort-zone. Finally, the Chairman asked him, “Do you understand how we generate revenue?” My colleague was speechless, and to say the conversation went sideways quickly is an understatement. It was a horrible experience for everyone in the room, but one of the best lessons I’ve ever seen about the importance of why the chief information security officer should be a student of the business and understand how the company makes money.
Over the course of our security careers, we’ve talked to hundreds of people and are universally surprised that so few CISOs are adequately versed in the actual business of their organization. The vast majority of talks, presentations, and conversations at security-related conferences focus on technology, certifications, and policies; it’s rare to hear security people talk at any level of detail about the many factors that contribute to revenue in their business.
Earning a seat at the table
While most people land a CISO or senior security job through their knowledge of risk, security technology, and understanding the security threats facing the company, that doesn’t earn them a seat at the executive table. Like it or not, security is not foundational to generating revenue in most companies, so security competes for visibility with executive leadership. CISOs are most often still perceived as technology geeks who don’t think broadly enough to be part of the business conversation.