The Chief Information Security Officer (CISO) is a relatively recent addition to the ranks of organizational leadership. It is a key role for businesses and organizations that possess the necessary resources and recognize the need for a robust security program. When leveraged properly, the CISO assumes a leadership position that is integral to an organization’s C-suite.
However, not every organization’s leadership understands the role of the CISO. The CISO’s job is not to eliminate all risk. This is an impossible feat in today’s modern cybersecurity landscape. The CISO, instead, must understand the risk an organization faces holistically and then develop a security strategy that mitigates those risks to the level that matches the organization’s risk appetite.
A major component of that task is translating and communicating the level of severity of major risks to the other members of the C-suite. It’s only through this kind of proactive, clear, and actionable communication that a CISO can gain full buy-in from the rest of the executive team to prioritize efforts and infuse security into the culture of the company.
How the Cybersecurity Landscape is Shifting
In the past decade there have been massive changes in the ways cybercriminals conduct attacks. Ten years ago, it was much more difficult to extract or extort money from organizations. However, what was once the province of talented threat actors conducting targeted attacks against large organizations has shifted to a marketplace where even the most amateur of threat actor scan conduct a successful cyber attack, thanks to the rise of ransomware-as-a-service and other forms of commoditized criminal infrastructure.
There are now criminal services and threat actors for hire. A budding attacker can now partner with — and learn from — everyone from initial access brokers to payload specialists to ransom negotiators. Plus, Cryptocurrency has made it exponentially easier for cybercriminals to monetize their attacks.
These changes have not just leveled the field for threat actors, it’s done the same for businesses looking to protect themselves from attack. Cyber attacks are launched every single day against businesses of every size in every industry. In the decade to come, threat actors will learn to leverage AI to automate and increase the effectiveness of attacks, there will be continued commodification in the cybercrime market, and the arms race between threat actor and security team will continue.
This is the increasingly fraught and dangerous environment CISOs face. To effectively defend against these attackers, CISOs must have the solid support of the rest of the C-suite.
How a CISO Can Get Executive Cybersecurity Buy-In
The task of gaining C-suite support begins with the CEO. Ultimately, the CEO assumes most of the risk for the organization on their shoulders. The principal task of the CISO, then, is to help the CEO understand how a proactive security program addresses and mitigates those risks. The CEO can then garner the support and assistance of the rest of the C-suite to enable the CISO to execute the security program. Accomplishing this task requires translating risk information in a way that is understandable and digestible to a CEO and C-suite who often lack cybersecurity training and experience.
One of the best ways to help executive-level and other employees understand an organization’s risks is through storytelling. Dedicating a board meeting to actualizing risk by dissecting a real-world incident or painting a realistic picture of a hypothetical, yet significant, security incident will grab the CEO’s and C-suite’s attention and make the once abstract idea of cybersecurity real for them.
Engaging Executives with a Tabletop Exercise
Tabletop exercises are an effective way to translate risk scenarios into realistic situations your CEO and C-suite must react to. However, these should feel much less technical than the type of exercise a CISO might conduct with their own security team. Executive level tabletop exercises are conducted much like a role-playing game, where the entire C-suite is gathered around a table, debating and making decisions as the CISO leads them step-by-step through a plausible cyber attack on their organization. Here are a few tips for creating a tabletop exercise that will translate into a culture of cybersecurity from the top down.
1. Create a Custom Scenario
To make the tabletop exercise most effective, you’re going to have to make it palpable. They need to feel it. This is done by creating a custom scenario that uses the strengths and weaknesses of your actual organization. The Cybersecurity & Infrastructure Security Agency (CISA) offers hundreds of tabletop exercise packages that any organization can use as a template or launching point for their own custom exercise. By leveraging these packages and customizing them to your organization and scenario, you’ll maximize the realism and improve the outcomes.
2. Have an Outcome in Mind
To be most effective, make sure you have an objective identified. It’s a waste of time, effort, and resources to undertake something as robust as a tabletop exercise with your C-suite without a defined end goal. For example, say you’re looking to secure budget for an identity provider for single sign-on (SSO). Knowing, as you do, that nearly 75% of all breaches involve the human element, center the tabletop around an account takeover and build it from that. Chances are, you’ll watch in real-time as the executive’s eyes widen in surprise and shock as they take in just how easily this hypothetical could become reality, and you can use that reaction to fuel a substantive conversation about the budget you need.
3. Paint the Picture for Each Person
Put risk in terms each executive can understand. Talk about money to your Chief Financial Officer and reputation to your Chief Marketing Officer. While your end goal is, of course, getting the CEO on board, translating risk to each member of your executive team can start a snowball effect, leading to each member recognizing and owning the portion of risk that falls to them, preventing them from offloading security decisions to the CISO, and ultimately adding their voices to the chorus preaching proactive protection to your CEO.
This personalization of risk to each executive also has a cascading effect, helping them communicate their department’s share of risk to their entire team, which will create a stronger culture of organizational security.
Additional Resources
Arm your executives with The 9 Cybersecurity Questions Every C-Suite Needs To Ask.
Learn how to level up your security operations with this on-demand webinar.
Discover the characteristics of a mature organizational security with A Security Leader’s Guide to Leveraging MDR.
