The business value of security: CISOs as business leaders
Illustration: iStock
Share on LinkedIn
Share

The business value of security: CISOs as business leaders

CISO INTERVIEW SERIES — August 2019

Once seen as a barrier to innovation, chief information security officers (CISOs) are increasingly showing how they can help their organizations to achieve strategic goals. As part of our interview series with leading CISOs on how they not only ensure security but also prove its business value, we focus on the leadership qualities they bring to their organizations. Other interviews in the series explore the pressure on CISOs to show ROI from security investments and the critical role of security metrics in proving value.

Featured CISOs:

• Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications

• Becky Pinkard, CISO, Aldermore Bank

• Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group.
  

Is demonstrating the value that your team creates an important part of your leadership role?

Brian Hintze: This relates to CISOs being business enablers. In our organization we need to prove that we’ve planned for where the business wants to go in the next months or even year. Then, when a business leader tells me: “This is what we need to do, can you help?” I’ve already thought through their problem and come up with a potential solution.

““Brian”
Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications
For example, about two weeks ago I had a discussion with a business leader who was looking to use a cloud solution to host some of our proprietary data. I was able to tell him: “That’s OK. We’ve already thought this through. We had an idea that this was coming, we knew what controls we needed to put in place to support that move and we’re already good to go.” He was shocked. And that was a good message for him to be able to take back to his colleagues: the security team is on the ball and ready to go.

In contrast, if you’ve got someone whose only answer is “no,” it will be hard for them to be seen as a business leader. That’s actually the opposite of leadership; it’s slowing down business success for everyone else. You need to be out there in front, helping to increase revenue and profitability — and that’s what we are looking to do.

Becky Pinkard: The CISO role feels like a bit of a unicorn, to be honest. What I mean by that is it’s still not uniformly understood in the business. There are a lot of expectations about the technical knowledge, business acumen and leadership capabilities it requires.

The CISO can help to showcase the value their team brings to the organization by strictly managing its mission and related messaging — they have to speak to ‘five Ws’ (who, what, where, when and why) of cybersecurity for their company. This requires a PR-like capability for owning and guiding that message across the organization.

““PaulWatts”
Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group
Paul Watts: If a close relationship with the business is to be maintained, security teams need to take on the onus of customer satisfaction. There’s a lot to be said for wearing the badge of humility too. If people in the business tell you that they still “don’t get it” (“it” being security), spend time with them to understand why that is, take their feedback on board and change your approach.

If you are at odds with your business, you’ll have little defense and no one on your side when the board challenges your raison d’être. There is no harm in trying to build one-to-one relationships with those in the C-suite. Board members are not always as accessible as you would like them to be, but you won’t know unless you try.

Are you gaining a deeper understanding of business processes beyond technology?

Hintze: We’re always working to better understand the business processes that we’re being asked to enable and secure. We support a number of companies in North America and we’ve been assigning specific liaisons between the security team and each company so we can build relationships.

““Becky”
Becky Pinkard, CISO, Aldermore
Pinkard: A desire to develop a deeper understanding of business processes was one of the reasons I took a career side step from 2015 to the start of 2019 to work with a vendor company. As a member of its executive committee there, I learnt about business and product development, the sales and marketing life cycle, client success — all things I’d had no in-depth exposure to in my cybersecurity career.

Watts: Security cannot be a transactional bolt-on component of a business and it cannot possibly add value to a business that it does not understand. A CISO cannot build a function that delivers value to the business without first understanding that business. We should never think that we know more about a business than the business does itself. This has historically been a key point of failure for IT projects, where solutions have been delivered in isolation to the business.

Are CISOs increasingly becoming specialists in specific industry domains?

Hintze: You need domain expertise in certain industries, especially those with lots of regulatory requirements. For me to step into a CISO role at a healthcare company, say, and understand what is going on, I’d need them.

Pinkard: If you find yourself in a highly regulated environment, you must become a specialist to be successful.

Watts: Aside from industry domains, CISOs have to recognize that they must transcend the different domains of business and technology in order to be of value. The education sector needs to recognize that this hybrid of business and technical skills is critical to shaping the security leaders of the future. Postgraduates who are technically strong but lack business acumen and softer skills will find it much more difficult to be successful in future, certainly in a leadership role.

See the other articles in this CISO Interview Series on Business Value of Security:

The challenge of showing ROI from security investment
The role of metrics in showing the business value of security


• Download a free report on the Top 10 Cyber Security Predictions for 2019

Share on LinkedIn
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy