The New CISO: Agent of Change

The New CISO: Agent of Change

Whereas Information Security used to be all about saying “no,” now it’s about being a business enabler and finding ways to be able to say “yes.” One strategy is to proactively engage with the business units.

Get involved in projects at the beginning in order to integrate security into the design of the product or service.
Promote the early integration of security as a way to facilitate the security design process, control costs and avoid delays in the release of the product or service as a result of security flaws.
Make friends with procurement in order to find out about items before they are purchased.

As a result of numerous high-level breaches, the focus of boards has changed drastically over the last year. The number one topic for board members is now cyber security. Whereas they used to ask “Are we compliant?” they are now asking “Are we secure?”

Be transparent in your conversations. Acknowledge that incidents will happen and when that does, that the focus of the team is on how quickly can we identify and mitigate the threat.
Tell the board what you want from them and work to understand what they need.
Find an advocate on the board. Identify the “designated board geek” who will be asking the hardest questions. Meet with them before the board meeting to get them vetted on the issues in advance.
View your board presentation through the lens of “Would Elmo get this?” The higher up you are presenting, the lower the level your presentation should be.