An organization’s CISO is critical to business strategy and brand reputation – this has been highlighted by the widespread shift to cloud services necessitated by the COVID-19 pandemic. But how can businesses empower the CISO? And what will be required of the CISOs of the future? Our panel at CISO US, Live shares their insight
During a recent panel discussion at CISO US Live, we discussed where a CISO should sit within the C-Suite and how a security team should be structured to ensure your organization has the talent and skills needed for today and for the future.
- Fred Kwong, CISO, Delta Dental
- Lester Godsey, CISO, Maricopa County
- Rob Hornbuckle, CISO, Allegiant Air
- Marnie Wilking, Global Head of Security & Technology Risk Management, Wayfair
Choosing the right CISO reporting structure
Security leaders hold an expanding role in executive management with responsibilities to protect on-premises, cloud, and operational technology. As a result, CISOs are increasingly in the top tier of executive management, with 63% of reporting directly to the CEO or board of directors in 2020, according to Fortinet research, compared to just 40% in 2017.
Each organization is different, however. Marnie Wilking, Global Head of Security & Technology Risk Management at Wayfair, reports to her organizations’ chief technology officer (CTO), a relationship that she sees as advantageous in helping her make decisions and show her worth to the board.
“I’ve been in a lot of organizations, and I’ve seen the CISO sit in a lot of positions, and I think the CISO should sit wherever they get the most work done,” Wilking says. “Reporting into the CTO, I have great conversations about what tooling we need and I’m able to make the business case that I need. Having a good relationship in the reporting structure is key.
Fred Kwong, CISO at Delta Dental, reports to the chief information officer (CIO), although says most risk-based decisions are worked on collaboratively through the organization’s cyber risk management team.
“We incorporated an internal risk committee, which is made up of our head of HR, CFO, CIO, general counsel, and our privacy officer,” Kwong said. “When it comes to making choices in terms of the amount of risk we’re willing to accept, that’s the committee that makes those decisions on behalf of the CEO.”
He continued: “The key is to have good partnerships with marketing, finance, and general counsel because ultimately the decision is an executive leadership decision. You have to speak in business terms when you’re talking about cybersecurity and cyber risk.”
Rob Hornbuckle, CISO at Allegiant Air, also reports to his organization’s CIO, though he has regular meetings with the CEO and presents at every board conference, where he leans heavily on the marketing department to show the business where he is adding value.
“I use the impressions systems that our marketing department does to show the impressions that the organization has from a security standpoint,” Hornbuckle says. “If you talk to your CMO, they have very developed tools for doing just that, and if you can piggyback off those to show how you affect the reputation of the business.”
Making your case
Of course, it isn’t always easy for CISOs to effectively plead their business case, nor to receive the financial backing they need. Lester Godsey, CISO at Maricopa County, describes this as a major challenge that requires him to have a strong overall understanding of the businesses’ strategy and goals.
“It’s a challenge and there’s no one way of doing it,” Godsey says. “But in our positions, it’s so important to understand what drives the organization. CISOs need to be flexible – and as long as your priorities align with the organization’s goal and objectives, you’re in good shape.”
This is a viewpoint shared by Wilking, who believes that while many CISOs come from a technical background, the ever-evolving role now requires security leaders to have a more general understanding of their businesses’ roadmap and priorities.
“As the role has evolved, it’s become more important to make sure you’re seen as part of the business,” she said. “I have regular meetings with business leadership to understand their pain points, strategies, and where they think there may be friction. Being able to demonstrate the business value of what you’re doing as a security leader is really important.”
Hornbuckle believes that if CISOs develop strong business relationships and understand the business’ ultimate goals, they will be able to influence the organization more effectively.
“The higher that is, the more influence we have over these things,” he said. “As long as what we’re doing is supporting the business model of the organization, we have as much influence as we need. We need to work with all leaders to figure out what a business actually needs.”
The changing role of the CISO
The influence that a CISO has over an organization has perhaps never been more important. The Covid-19 pandemic has brought security to the forefront over the past 18 months, as organizations have been forced to embrace remote working and accelerated their journeys to the cloud
For some, such as Maricopa County, this was a rapid, somewhat unexpected shift that brought forward a lot of security challenges.
“Government was not as far along the cloud-first journey, so it was a little more jarring and abrupt for us. In our case, we saw an inordinate increase in cloud adoption,” says Godsey. “From a risk perspective, with the adoption of cloud surfaces, we’re seeing more attack services, so we need to build that into our security team.
He adds: “We’re seeing more interest in artificial intelligence (AI) and machine learning (ML) technology, so we also need people in security who understand data and know the right questions to ask.
The transition to the cloud has also made coding skills a must-have for security teams, says Wilking, who believes this democratization of security is critical if an organization wants to make the most of this transition.
“If you really want to take advantage, you need to be doing security as code as well, and the only way you can do that is if you have coders on your team,” she said. “A lot of what we need on the security team is not what we needed 10 years ago.”
She concludes: “We need people that can write the code so things can be automated. I want to democratize security so developers and infrastructure folks understand security to the extent that they can build it in themselves.”