What can CISOs/CIOs do to be effective despite lack of board readiness?

Strategy & ArchitectureThreat Intelligence & Incident ResponseBusiness Relationships
445 views3 Comments
Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees
Usually I have selected roles where IT security functions were pretty well valued. I've had opportunities come up when an organization wants a head of security, and I’ll ask them, “How does the company feel about security?” If they say, “The board doesn't care. They have no interest," in an interview, then I’ll turn down that role. I shouldn’t need to teach you about why my job is important.

A company can say all the right things, but if their concern isn’t real then you'll be giving all these presentations, and when it actually gets back to leadership, they say, "Yeah, our security's good—we got breached, but we have you and some other people now, so we're good." Organizations have to understand that security professionals are not a statue you put in a place. They're not like a rottweiler in a junkyard. You have to actually invest in what they're doing.

But changes are happening. In a lot of those conversations with leadership about security, people would just nod along and say, "Okay. Uh-huh. No, I'm listening, yep, uh-huh." Now it is, "Tell us how you're going to actually stop this because we're all shareholders."
3
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
A mentor taught me to never sell security to folks who don’t care. He'd been doing this since the '90s, and I was working for him in the mid to late 2000s. It just stuck with me: there will always be this element of crisis, and it's needed—from a defensive standpoint, all security ultimately comes back to being the product of something bad happening a lot of the time. So don’t go in trying to educate folks on why they need to care. Find the people that actually care already, and chase them down.
2
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
Lack of board “readiness” is interesting - if they aren’t reluctant and just not prepared that is the key effort. Many approaches to this.

If the board doesn’t care, as others have suggested, a CISO/CIO can update their LinkedIn profile and start a stealth job search to be effective.
2

Content you might like

IT leaders are struggling to become business partners because they are being held back by focusing on a process-driven operating model instead of a service-optimizing operating model.

IT Strategy & RoadmapBusiness RelationshipsPartnerships

Strongly agree6%

Agree73%

Neutral15%

Disagree4%

Strongly disagree0%


524 PARTICIPANTS
1.7k views2 Comments

What steps are must-haves to ensure data security in automated processes?

SecurityStrategy & Architecture
326 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
43.6k views132 Upvotes319 Comments

Any plans to change your software teams’ working environment in the next year? Are you going remote or pushing for return to office?

EngineeringStrategy & ArchitectureTeam & Organizational Design+1 more
1.3k views1 Comment

What is the main driver for changes to your data governance strategy in the upcoming fiscal year?

Data GovernanceStrategy & Architecture

Business expansion13%

Changing business model47%

Compartmentalization due to localized regulatory requirements13%

Cultural changes within organization13%

Customer data privacy concerns3%

Data monetization3%

Emerging risks3%

Improving data governance maturity3%

Introducing new technology0%

Scaling data and analytics ecosystem0%

Not sure3%

We aren’t making changes0%


32 PARTICIPANTS
193 views