How do CISOs get executive buy-in for security risks and requirements?

1.7k views1 Upvote7 Comments

Sr. Director Third Party Risk Management in Healthcare and Biotech, 10,001+ employees
First is really working closely with our internal customers and understanding those probing questions of, what is it that they're concerned about? We need to better understand what the business is worried about, what type of data and information they want to secure. Then from that perspective then we can say, “okay, well these are the types of controls that will help mitigate those risks and that will enable you to proceed with confidence.” We might have a set of operational metrics that help you from your day-to-day. Those should ultimately feed up or support a business risk that's supposed to be mitigated or provide coverage against. And then, from a board perspective, tying that to a story of what that actually means. Being able to work with the technical teams and be the bridge with the business counterparts. With vulnerability management, articulating how many of our systems are actually protected from being exploited, allows us to see systems that are actively being exploited or targeted, then that's the “so what?” factor that we tie back to when explaining why it's of significance to the board.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
How we got from traditional security metrics to that whole value proposition conversation has been interesting. A lot of it has to do with understanding the business and what the business does. When I moved into my new company, the first thing I realized was that I had to understand data. I've been in healthcare for so long where I had to understand the product, the risk profile, the security threat landscape for product-to-patient. In the healthcare, highly regulated GXP space, it's actually a little bit easier to just stipulate the policy, standard, and procedures.The approach to demonstrating, articulating that is, “How ready are you? Are you inspection ready? Audit ready?” Coming to a tech data company that has the essence of startup culture, and me miss SOP queen running around wanting more procedures, it's been an interesting journey to right-size that conversation. It’s a totally different product and threat landscape. How do I assimilate into that and message/package what's meaningful to leadership? From healthcare into data and tech, the difference between the compliance requirements around a regulated product like a drug, to a regulated product like data, it's a different mantra here and I’m trying to reset there. So training for the teams here, it's been really trying to be nimble to interpret what secure SDLC looks like without making it seem SDLC. We're coming out with a branding that it's just good system engineering.
1 Reply
Director of Information Security, 10,001+ employees

I think the whole agile approach applies in a lot of different ways, not just your product development or your tech development. We use it in strategy development where things come in and out as well. We have to be nimble with shifting priorities. What is most important can change on a weekly basis. We keep up on it. We meet religiously on a weekly basis, and if all the decision makers aren't there for each of those organizations, we don't make a decision to pull something in. But at least if something gets pulled in, something's got to go out. It's agile in that respect. I don't think you can really do much without being agile these days.

CIO in Energy and Utilities, 11 - 50 employees
It is best to monetize the risk issues so they understand the potential damage in terms they're more familiar with and IF a risk materializes. Create a business case for each risk and be sure to tell your board that we want don't want to get a ROI from those business cases because it would mean a risk materialized. It's like an insurance coverage.
Chief Information Officer in Manufacturing, 10,001+ employees
The CISO needs to be able to make it relatable to the audience in order to get buy in and understanding on the importance of a robust security program.
Assistant Director IT Auditor in Education, 10,001+ employees
Tell them in simple terms what will happen if the security risks are not mitigated/addressed. When they realize that the company may not recover from certain risks exposure, they will get it.
Senior Information Security Manager in Software, 501 - 1,000 employees
Executives don’t want to feel stupid. Too many CISO’s use jargon and tech talk to make execs feel clueless.

One way to avoid that is to use the factor analysis of information risk (FAIR) methodology. Enables you to speak to execs in a way that you can be understood and to empower them.

Content you might like

Talent Retention33%

Talent Attraction48%

Upskilling talent to do more with less12%

Efficient Operations / Better Customer Service Delivery6%

Other – please specify0%


676 views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
67.2k views69 Upvotes39 Comments