Why CISOs Need to Go on the Offensive — And How to Do It

Security and risk leaders are often denied the extra budget they request to expand security coverage. Some concede and agree to do the best with what they have, but there is another way: Go on the offensive.

One CIO was explicitly warned by her manager not to ask the board for more money. But that didn’t stop her. She created a list of what she could fund with the current budget, but also provided detail on specific security projects she could not deliver without additional budget.

She got additional funding for two of those critical projects. 

Download now: How to Mature Your Information Security Program

“As leaders, you have to be able to go on the offensive,” said Tina Nunno, Distinguished VP Analyst and Gartner Fellow, in the opening keynote of Gartner Security & Risk Management Summit 2021. “Security and risk leaders can’t just defend the enterprise; they have to go on the offensive to help the enterprise take advantage of a wide variety of new opportunities.” 

As boards have become increasingly aware of the impact of security events like ransomware or breaches, it's up to you to coach other executives and leaders on their impact and mitigation tactics. As “head coach,” you set the rules, offer guidance, coordinate the players and act as a trusted advisor for counsel, expertise and vision.

Create your own brand

How your organization sees you is a key piece of the evolution from defense to offense. A defensive CISO says, “I do good work, and I let others decide what I am. I’m viewed as responsible, cooperative and friendly.” There’s nothing inherently wrong with that, but when asked how they would prefer to be seen, CISOs often use words like, “innovative," "strategic" and "effective.” 

How to go on the offensive: Instead of waiting for others to assign you a brand, be proactive. If you’d like to be known as innovative, ask yourself what you’re doing that is new and different. If you’d like to be considered strategic, ask yourself how you’re making a difference in the business. Ultimately, your brand has to be authentic to you, but it should also draw attention to work you’d like to be known for and asked about. 

Communicate your successes via storytelling

Most technology executives are perfectionists, which means they often focus on what went wrong. It's not uncommon to see a presentation of a weekly dashboard, in which the first four slides focus on what went wrong or still needs to be done, rather than leading with the good news.

Read more: Security Experts Must Connect Cybersecurity to Business Outcomes

How to go on the offensive: It's more important to tell the right story than to be objective. Focus on how the security team protected the organization in a tough, radically shifting environment with limited resources. Acknowledge the small things that went wrong, but don’t dwell on them as part of the main story. 

Partner with other business leaders

Security projects often begin with a leader approaching the CISO and declaring that a given initiative is a top priority. You then have to respond, estimating the time-materials-milestones, identifying vendors and consultants and managing the logistics. The No. 1 reason for technology failure is lack of engagement by business units — in other words, it's a failure of teamwork and of partnership. 

Read more: 5 Security Questions Your Board Will Inevitably Ask

How to go on the offensive: Start by making sure the leader knows that you are in a partnership, which means the security team has their responsibility, but the business leader also has to engage. It’s an approach of, “If you want X, you have to ante up Y.” This will improve outcomes and reduce failure rates. Choose your SRM risks carefully based on what can be accomplished with that partnership, focus on teamwork and celebrate the win together.

As you shift from defense to offense by becoming the enterprise coach on risk, you can increase your value, contribution and, perhaps best of all, ensure that the entire enterprise wins.