CISO Tips Speaking the Language of Business
Transcript of CISO Tips Speaking the Language of Business
©2017 Cybereason. All rights reserved. 1
CISO Tips: Speaking the language of businessThe six phrases CISOs can use to connect
with business executives
©2017 Cybereason. All rights reserved. 2
“A cost center that doesn’t align with the rest of the organization. Is run by people who don’t
understand the business objectives. The part of organization that fails to deliver return on
investment. The department of no.”
If you’re a CISO or an information security leader, these are some of the phrases that you
may have heard used to describe your department (or possibly you). Whether or not these
depictions are accurate is debatable. But what’s not open to discussion is that the role of
information security executives has evolved. CISOs may now find themselves talking to
investors about how an attack impacted quarterly earnings in addition to more traditional
duties like managing a SOC.
Fortunately, CISOs aren’t the only leaders with a technology background who had to
demonstrate their business acumen to peers. CIOs had to make this same transition. When
these technology leaders began to appear in organizations about 15 years ago, they also had
to align with the business objectives. CISOs now find themselves in the same role. They’re in
the boardroom with peers who don't understand how security impacts them.
To connect with business-minded colleagues, CISOs need to learn and speak the language of
business, which centers around these six concepts:
1. Risk2. Revenue3. Employee efficiency4. Strategic value5. Cost6. Customer satisfaction
©2017 Cybereason. All rights reserved. 3
RiskAddressing risk is critical for CISOs when talking to other c-levels and the board. Risk
mitigation is the link between a company’s security and business units. CEOs, COOs and
CFOs want to reduce it while CISOs are the ones who can accomplish this task. CISOs
should try and avoid talking about super technical details. The CEO and your board don’t
need to know about server configurations or the nuances of the organization’s patch
management strategy. But, they do need to know if the company can muster enough servers
to prevent a DDoS attack and has patched the Windows vulnerability that lets attackers use
the EternalBlue exploit.
RevenueSimply put, this is how information security can help an organization make money. While this
concept may seem obvious, InfoSec departments are often perceived as the department of
no. Even worse, security personnel, and the CISO in particular, are viewed as the people
responsible for stifling innovation. And innovation can give a company an edge over their
competitors - hurt innovation and you risk hurting revenue. To avoid being seen as the
department of no, CISOs need to talk to their colleagues about what they’re working on.
The sooner CISOs learn about upcoming projects, the sooner they can suggest ways to
incorporate security from the start. Not only does this make a product more secure, but it also
allows the development process to be in tandem with the addition of security measures.
Employee efficiencySecurity is often seen as impeding employee efficiency. Countless employees can share
anecdotes of how a security application slowed down or crashed their machine. And there’s
the belief that security departments stifle innovation, which also ties into employee efficiency.
The situation sometimes plays out like this: Developers spend months adding features to a
product. Eventually, the security department reviews this work and determines that some of
the features could jeopardize a customer’s security and need to be dropped. The developers,
who feel that they’ve wasted their time, now spend even more time reworking the features to
meet the information security requirements.
©2017 Cybereason. All rights reserved. 4
Strategic valueInformation security has to show the value that it brings an organization. Security programs
can’t be carried just for the sake of security. They have to be conducted in the context of
the organization’s overall business objectives and help the company meet those goals. The
security department can’t block innovation.
CostWhen buying a security tool, hiring for the security team or making any other security-related
expenditure, show that spending this money is less of a financial risk than not addressing
the vulnerability. This is especially true when discussing budgets with CFOs, who relate
everything to finance, money and return on investment. For an even more detailed view of
how a business work, security executives should befriend the CFO and ask to look at the
profit and loss statement.
Customer satisfactionProduct development is the link between information security and happy customers. Product
teams are the ones responsible for creating the services and products customers use while
security teams ensure that those products and services are as secure as possible. The
challenge for security teams is to keep the product secure without impeding its performance
and negatively affecting the user experience. Achieving this requires security to be involved
from a product’s design from the start. When information security partners with product,
incorporating security is much easier than trying to tack it on once the item is being sold,
leading to protected and content users.
©2017 Cybereason. All rights reserved. 5
Business leaders care about how security fits into and improves each of these areas. Avoid
talking about technical topics that only people with computer science backgrounds would
understand. The average executive isn’t going to understand cross-site scripting or machine
learning algorithms. But they do want to sell a product that protects customer data, reduce the
risks the organization faces and increase yearly revenue.
Don’t abandon your technical rootsBecoming business savvy doesn’t mean technical knowledge and maintaining relationships
with the people who carry out IT security are less important. CISOs must master being
involved in both of those realms. Security executives need cred with the analysts who attend
Black Hat. But they also need to earn a seat in the boardroom by demonstrating that they’re
the source of understanding risk from an IT infrastructure perspective.
There is hope for the CISOTechnology is now seen as a critical to providing an organization with a competitive advantage
while CIOs are expected to be included in executive discussions around corporate strategy.
The same fate awaits CISOs if they frame information security discussions around how their
plans benefit the organization and speak the language of business.
About CybereasonCybereason is the leading provider of behavioral-based enterprise attack protection,
including endpoint detection and response (EDR), next-generation antivirus (NGAV),
and active monitoring services. The Cybereason solution reduces security risk, provides
complete visibility, and increases analyst efficiency and effectiveness. Cybereason partners
with enterprises to gain the upper hand over adversaries. Cybereason is privately held and
headquartered in Boston, with offices in London, Tel Aviv, and Tokyo.