What can a CISO do if their authority is unequal to that of other C-suite execs (apart from the CEO)?
Sort by:
Make sure the rest of the c-suite is aware of and understands the risks of inadequately addressing security. Partner with other c-suite execs who do have the authority and understand the risks.
A CISO (vs. most other C-Suiters) should have the ability to truly understand the DR plan in all its permutations. Playing through as many contingencies as possible and getting hands-on with solutions sets this role apart in my opinion.
This relates directly to Ben Rothke's comment ("Consider that CSO in that case = Chief Scapegoat Officer.") in that, yes (LOL), the CISO is going to be the one getting sprayed when "stuff hits the fan", so hopefully they've prepared for that outcome and have a hazmat suit ready to go.
They will need to build political capital that can enable them to protect the security and safety of the organizations data. While they do this they need to enable the role to become an equal member of the C-Suite too, otherwise the accountability and value of the role is unlikely to retain quality talent.
Authority doesn't necessarily reflect on the ability to get things done. If you do your job well, then others at the C-level will recognize and respect that. That will bring the authority with it, whether it's only implied or actually given.
Fr Chief Information Security Officer, s/he can establish and maintain the strategy and vision to ensure information and technology needs are adequately communicated and executed.