What can CISOs/CIOs do to be effective despite lack of board readiness?

445 views3 Comments

Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees
Usually I have selected roles where IT security functions were pretty well valued. I've had opportunities come up when an organization wants a head of security, and I’ll ask them, “How does the company feel about security?” If they say, “The board doesn't care. They have no interest," in an interview, then I’ll turn down that role. I shouldn’t need to teach you about why my job is important.

A company can say all the right things, but if their concern isn’t real then you'll be giving all these presentations, and when it actually gets back to leadership, they say, "Yeah, our security's good—we got breached, but we have you and some other people now, so we're good." Organizations have to understand that security professionals are not a statue you put in a place. They're not like a rottweiler in a junkyard. You have to actually invest in what they're doing.

But changes are happening. In a lot of those conversations with leadership about security, people would just nod along and say, "Okay. Uh-huh. No, I'm listening, yep, uh-huh." Now it is, "Tell us how you're going to actually stop this because we're all shareholders."
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
A mentor taught me to never sell security to folks who don’t care. He'd been doing this since the '90s, and I was working for him in the mid to late 2000s. It just stuck with me: there will always be this element of crisis, and it's needed—from a defensive standpoint, all security ultimately comes back to being the product of something bad happening a lot of the time. So don’t go in trying to educate folks on why they need to care. Find the people that actually care already, and chase them down.
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
Lack of board “readiness” is interesting - if they aren’t reluctant and just not prepared that is the key effort. Many approaches to this.

If the board doesn’t care, as others have suggested, a CISO/CIO can update their LinkedIn profile and start a stealth job search to be effective.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.6k views132 Upvotes319 Comments

Business expansion13%

Changing business model47%

Compartmentalization due to localized regulatory requirements13%

Cultural changes within organization13%

Customer data privacy concerns3%

Data monetization3%

Emerging risks3%

Improving data governance maturity3%

Introducing new technology0%

Scaling data and analytics ecosystem0%

Not sure3%

We aren’t making changes0%