Last Updated on July 23, 2021
Is a CISO’s role to focus on technical issues? Or should CISOs ideally have a bigger-picture, business-centric view in addition to understanding the technology?
To reframe cybersecurity to help SMBs strike the right balance between system functionality and risk exposure, Dr. Eric Cole, trending author and Founder/CEO of Secure Anchor Consulting, was our guest on a recent episode of The Virtual CISO Podcast. Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the show.
Cybersecurity as a business enabler
“What is the critical data? What are the threats that have the highest likelihood of manifesting? What vulnerabilities have the biggest impact? It’s really understanding the business,” Eric explains. “How do you make money? Where are your biggest profit margins? Where do you need to protect and secure the organization?”
“Not all, but most CISOs… It’s often viewed as a technical career track,” notes Eric. “You work at the company for ten or twelve years. They don’t want to lose you, so they give you the CISO title. But you’re a world-class security engineer. You’re not a world-class CISO. You’re too focused on tech.”
According to Eric, the ideal focus for a CISO is on leveraging cybersecurity as a business enabler. That means knowing who your top competitors are, how you generate revenue, what your most profitable lines of business are, what your most critical competitive advantage is, and so on.
Products do not a strategy make
John describes the other end of the spectrum, a CISO who describes his or her “security strategy” in terms of a litany of point products. “Products are not a strategy—products are intended to fulfill a strategy,” notes John. “What was the strategy that drove the choice of those products? If you get a blank look at that point, you’ve got an issue.”
Interestingly, both John and Eric have observed that some of the best cybersecurity programs they’ve seen aren’t run by technical security folks.
“I think a technical project manager in a large organization could be a very good CISO because they’re focused on the process, and information security is just a collection of processes,” John offers.
“I would agree completely,” replies Eric. “Most of the really good CISOs typically only work in security for two or three years. They understand the foundation, but they like the bigger picture. They don’t like all the techie stuff. They don’t like all the hands-on. Because, let’s face it, if you’ve been a security engineer for ten or twelve years, that’s what you love to do. If I now put you in a CISO position, the probability of you being able to morph into somebody else is very, very low.”
CISO as intermediary
“I want somebody with much more strategy and program management focus,” Eric reiterates. “What a CISO really is, is a translator. You translate from technical to business, and you have to be really good at that translation. Or, as I always joke, [the CISO is] a marriage counselor. Because the executives think one way, tactical another way, and you’ve got to work out and differentiate the challenges between the two.”
“COBIT has the concept of value creation versus value preservation,” John reframes. “I think the problem with so many CISOs is they are value preservation focused, because everything you’ve done to that point is intended to reduce risk; that is, to preserve value. But a good CISO creates value. He’s a business enabler.”
If you want to help your business develop more effective security and create value at the same time, you need to hear this podcast episode with Dr. Eric Cole.