CISOs Need to Speak the Language of Business
You need to be more than a geek
I was chatting with a security vendor I won’t name, and their CEO told me during the call, “Wow, it’s so refreshing to meet a CISO who can speak the language of business. That’s really lacking in our industry, isn't it?”
It certainly is.
The CISO needs to speak two languages, the language of engineering, needs to deeply understand the technology (so that they understand the security risk), but they also need to speak the language of money and balance sheets, because security risk is just another form of risk—and risk is just unrealized but potential financial loss.
Aligning security work to the needs of the business is the core job function of the CISO.
This is what marks the difference between a CISO and a Security Engineering Manager, or a Head of Security. A CISO is a business leader who integrates security risk management into the business. A Security Engineering Manager, or a Head of Security, generally are thinking at a more tactical level, and typically report to a CIO or CTO or VP / Engineering who do integrate security into the business.
I frequently see unproductive bun fights on the socials on the question of “Does a CISO need to be technical?” which is a dumb question because of course the answer is yes. You can’t be an effective CISO just because you have an MBA.
But on the flip side, if you can only play the technical card, and can’t think about your work from a business point of view, then you aren’t integrating risk management into your employer’s overall business objectives.
You can’t be a bridge between two worlds if you don’t have a foot in both worlds.
Corporate security isn’t a moral crusade, it’s not an objective goal, we aren’t seeking perfection, we’re seeking to manage security risk (which is just another kind of risk) to meet the Board of Directors’ risk appetite.
SEC regulations make it clear that the Board of Directors have a responsibility to manage cybersecurity risk.
What are those risks? What’s the potential financial impact? What’s the likelihood? How much money would it cost to mitigate those risks? How much money does it make sense to spend mitigating security risk?
This is the central question of the CISO role. That’s why I measure my own job performance based on how well I optimize for Security ROI.
