©2017 Cybereason. All rights reserved. 1

CISO Tips: Speaking the language of businessThe six phrases CISOs can use to connect

with business executives

©2017 Cybereason. All rights reserved. 2

“A cost center that doesn’t align with the rest of the organization. Is run by people who don’t

understand the business objectives. The part of organization that fails to deliver return on

investment. The department of no.”

If you’re a CISO or an information security leader, these are some of the phrases that you

may have heard used to describe your department (or possibly you). Whether or not these

depictions are accurate is debatable. But what’s not open to discussion is that the role of

information security executives has evolved. CISOs may now find themselves talking to

investors about how an attack impacted quarterly earnings in addition to more traditional

duties like managing a SOC.

Fortunately, CISOs aren’t the only leaders with a technology background who had to

demonstrate their business acumen to peers. CIOs had to make this same transition. When

these technology leaders began to appear in organizations about 15 years ago, they also had

to align with the business objectives. CISOs now find themselves in the same role. They’re in

the boardroom with peers who don't understand how security impacts them.

To connect with business-minded colleagues, CISOs need to learn and speak the language of

business, which centers around these six concepts:

1. Risk2. Revenue3. Employee efficiency4. Strategic value5. Cost6. Customer satisfaction

©2017 Cybereason. All rights reserved. 3

RiskAddressing risk is critical for CISOs when talking to other c-levels and the board. Risk

mitigation is the link between a company’s security and business units. CEOs, COOs and

CFOs want to reduce it while CISOs are the ones who can accomplish this task. CISOs

should try and avoid talking about super technical details. The CEO and your board don’t

need to know about server configurations or the nuances of the organization’s patch

management strategy. But, they do need to know if the company can muster enough servers

to prevent a DDoS attack and has patched the Windows vulnerability that lets attackers use

the EternalBlue exploit.

RevenueSimply put, this is how information security can help an organization make money. While this

concept may seem obvious, InfoSec departments are often perceived as the department of

no. Even worse, security personnel, and the CISO in particular, are viewed as the people

responsible for stifling innovation. And innovation can give a company an edge over their

competitors - hurt innovation and you risk hurting revenue. To avoid being seen as the

department of no, CISOs need to talk to their colleagues about what they’re working on.

The sooner CISOs learn about upcoming projects, the sooner they can suggest ways to

incorporate security from the start. Not only does this make a product more secure, but it also

allows the development process to be in tandem with the addition of security measures.

Employee efficiencySecurity is often seen as impeding employee efficiency. Countless employees can share

anecdotes of how a security application slowed down or crashed their machine. And there’s

the belief that security departments stifle innovation, which also ties into employee efficiency.

The situation sometimes plays out like this: Developers spend months adding features to a

product. Eventually, the security department reviews this work and determines that some of

the features could jeopardize a customer’s security and need to be dropped. The developers,

who feel that they’ve wasted their time, now spend even more time reworking the features to

meet the information security requirements.

©2017 Cybereason. All rights reserved. 4

Strategic valueInformation security has to show the value that it brings an organization. Security programs

can’t be carried just for the sake of security. They have to be conducted in the context of

the organization’s overall business objectives and help the company meet those goals. The

security department can’t block innovation.

CostWhen buying a security tool, hiring for the security team or making any other security-related

expenditure, show that spending this money is less of a financial risk than not addressing

the vulnerability. This is especially true when discussing budgets with CFOs, who relate

everything to finance, money and return on investment. For an even more detailed view of

how a business work, security executives should befriend the CFO and ask to look at the

profit and loss statement.

Customer satisfactionProduct development is the link between information security and happy customers. Product

teams are the ones responsible for creating the services and products customers use while

security teams ensure that those products and services are as secure as possible. The

challenge for security teams is to keep the product secure without impeding its performance

and negatively affecting the user experience. Achieving this requires security to be involved

from a product’s design from the start. When information security partners with product,

incorporating security is much easier than trying to tack it on once the item is being sold,

leading to protected and content users.

©2017 Cybereason. All rights reserved. 5

Business leaders care about how security fits into and improves each of these areas. Avoid

talking about technical topics that only people with computer science backgrounds would

understand. The average executive isn’t going to understand cross-site scripting or machine

learning algorithms. But they do want to sell a product that protects customer data, reduce the

risks the organization faces and increase yearly revenue.

Don’t abandon your technical rootsBecoming business savvy doesn’t mean technical knowledge and maintaining relationships

with the people who carry out IT security are less important. CISOs must master being

involved in both of those realms. Security executives need cred with the analysts who attend

Black Hat. But they also need to earn a seat in the boardroom by demonstrating that they’re

the source of understanding risk from an IT infrastructure perspective.

There is hope for the CISOTechnology is now seen as a critical to providing an organization with a competitive advantage

while CIOs are expected to be included in executive discussions around corporate strategy.

The same fate awaits CISOs if they frame information security discussions around how their

plans benefit the organization and speak the language of business.

About CybereasonCybereason is the leading provider of behavioral-based enterprise attack protection,

including endpoint detection and response (EDR), next-generation antivirus (NGAV),

and active monitoring services. The Cybereason solution reduces security risk, provides

complete visibility, and increases analyst efficiency and effectiveness. Cybereason partners

with enterprises to gain the upper hand over adversaries. Cybereason is privately held and

headquartered in Boston, with offices in London, Tel Aviv, and Tokyo.