The last time there was a collision of such magnitude was about 4.5 billion years ago, when a Mars-like rock hit Earth and formed the Moon. Now, we are not not suggesting that the relationship between the CISO and The Board creates as much chaos as that did, but it’s not far off.
The conversation around the CISO and the Board has come up time and time again, and every time it comes up there is a different answer or opinion on how the relationship should be. We don’t necessarily think there is a definitive answer to this, but we also don’t think there should be such widespread inconsistencies in what people & organisations think.
Security as a whole is still in its infancy and we think the industry needs to first truly understand the role of a CISO.
We have teamed up with Guillaume Ehny, CISO at Go Henry and Haydn Brooks, CEO at Risk Ledger, to get their thoughts on the locking of horns in the relationship between CISO & ‘The board’.
First off…what is a CISO and what do they do?
In today’s noisy and chaotic market, security at all levels is still maturing, CEO’s & business owners are still trying to work out what a CISO is, and where it sits in their organisational chart. This is probably a discussion for another blog ‘What makes a CISO a CISO’. But for now, let’s say this, ‘A CISO is an individual who is at the senior most level responsible for security’
“Throughout its 30 year young lifetime, the role and place of the CISO is still fuelling debate across the industries and sectors. Whether we’re looking at its remit or reporting line, it seems open to interpretation depending on your interlocutor’s background or company’s threat profile.
For small companies, the technical, hands-on, one-man army is an expectation or, often, a must. Keeping alive that myth of “the Unicorn”, capable of securing the SDLC, monitor production environments 24/7, owning incident response, getting the company (not only the IT stack) compliant with such-and-such standards, owning the risk register, the security budget, the roadmap and building the team. These items’ ratios tend to vary from a CTO, COO, or CFO given their affinities.
Not that it is not possible, all CISOs do more than what they can with what they have, but it is dangerous as it creates very quickly a single point of failure and a premature ageing for the security professional.“
Guillaume Ehny
“I have seen CISO job descriptions that want CISOs to perform technical operations, and other job descriptions more directed at CISOs performing governance duties and defining policies. I have seen descriptions where CISOs own compliance to key regulation, and other roles where they don’t. The role is so varied that saying you’re a CISO often doesn’t tell me much more than you are broadly responsible for information security at your company.
Since the CISO role is varied within every organisation, trying to define what makes a good one can be quite hard as what might work well for one organisation may not work well for another. Having said that I do think there are recurring attributes across the best CISOs I have worked with.
The first of these is the ability to build, maintain, and influence relationships. A CISO needs to be able to build strong relationships both above and below him within his reporting line, but also laterally across the business with other functions. This allows the information security team to effectively influence and engage the entire organisation.
The second is strong business acumen, to supplement a strong technical skillset. Being an expert at security does not help you understand the context of how security fits into your wider organisation. Being able to understand how your organisation functions allows you to mould your information security team to the needs of the business.”
Hayden Brooks
Both Guillaume and Hayden make very good points, CISO job descriptions can be wildly different depending on who writes them, and what that person actually thinks a CISO does. There is no defined background, experience, data, metrics or pathway that you can come from to be a CISO. Maybe one day we may start to see a set of standards and criteria that need to be met to justify being called a CISO. Have you managed X budget? Does the company have X amount of employees? X amount of turnover?
What does someone on the board actually do?
We know board members play a pivotal part in steering the business ‘ship’ and if you have the CISO title, you really should have that board interaction where you can influence and reassure key stakeholders on the security strategy.
“The board is focused on setting the vision and direction for the business and putting in place a team of executives to deliver on it. Each of its members contributes to the business strategy by leveraging its knowledge and experience and participating in its governance and model.“
Guillaume Ehny
“As a group they are responsible for steering the company towards a strategy based on the decisions they make on behalf of the company. These decisions are usually made in board meetings and can be made through discussion and agreement, or through a board vote, and are formally recorded in board meeting minutes.
Each individual board member is there to provide their point of view on the decisions at hand and to offer their opinion on the right course of action.”
Hayden Brooks
So…what makes a good board member?
According to leadinggovernance.com there are 10 things that make a good board member, Understanding your role, lead not manage, be engaging, strategic rather than operational, have a great succession plan, continually learn and develop, present the right information at board meetings, work as a team, challenge the business and constantly review performance. It is interesting to see that all 10 of these points are focussed on soft skills rather than the technical aspects.
“In my view, challenging and supporting the company’s executive team. Asking questions and getting involved in finding the best approach to the situation, including where valuable, bringing external advisors and resources to guide and strengthen the executive team.”
Guillaume Ehny
“The qualities that make a good board member overlap heavily with the qualities that make a good leader. Good board members are passionate about the company they serve. They are energetic and able to inspire and incite the same energy in others. They are strong problem solvers, and they are resilient, with a high tolerance for stress. Finally, they lead, not manage, and they are able to break large problems and large tasks into actionable pragmatic plans and support their teams in executing against them.”
Hayden Brooks
How do you make the relationship work?
Building meaningful and effective relationships can sometimes be a difficult thing to grasp, and when you work with large teams, and senior stakeholders, it often requires the ability to adjust and adapt to how you act and interact.
“I see the collaboration between a board and a CISO as a relationship where both parties learn from each other. Communication is key and just like learning a new language, it’s all about regular practice to achieving fluency.
Looking at it from the other side and with a rather fresh pair of eyes, I’d say the CISO role is true to its sector, constantly evolving. Back in 1995, most infrastructures were on premise, in the basement, and the major concern was securing the organisation’s buildings. Since the explosion of the Cloud and its impact on product development , network and application security are now crucial. And in the last 5 years, social engineering and ransomware have claimed their seats in the Top 5 risks for companies and their security teams. The role and remit of a CISO have grown, continuously expanded its field of impact, placing it as a business leader rather than a simple technician.
This pace of role redefinition is unusual at board level, giving way to missed opportunities and misunderstanding from both sides…
The adoption of a common language is crucial for the CISO to fully support the business and for the board, and wider stakeholders, to obtain confidence in the security programme and organisation governance.
Until this language is in place, there is likely to be a lack of involvement from the board in the security programme, with the risk that this stance will cascade all the way down the organisation. If a board is not actively involved in prioritising security initiatives and concerns, the rest of the organisation will mimic that behaviour.
Efforts on both sides will be required, for the board to understand and measure the full impact of security on the business, through supply chain, business continuity, risk management, governance, and recently growing, ESG, where information security plays a major role on S and G (see JPMorgan and KPMG reports), and for the security professional to understand how the business makes money, what is truly important to grow and prosper and especially what is not.
The basis of that language can be measured by the alignment with the organisation’s risk profile and appetite, the financial impact of the security programme (implementing an £80,000 solution to reduce the likelihood of a £300,000 loss) or demonstrating the reputation impact and competition advantage of a security and privacy product feature.
As for becoming fluent in that new language, it doesn’t happen over night and take consistent application from all practitioners.”
Guillaume Ehny
“How should a CISO interface with the board? Should they have a seat or a direct reporting line? Having been a security practitioner, and now being the CEO of a high growth tech start-up and chairing our board of directors, I understand some of the nuances behind why there is no easy answer to many of these questions.
Ultimately, it depends on the specific board and specific CISO in question, both on their roles and responsibilities but also on their personalities. There is no right answer. Having a CISO who tends to talk in a technical language and puts security above all other company requirements will probably cause more friction with a seat on the board then they will remove – making it harder for both the board and CISO to do their jobs. But for a highly technical board or company who prioritises security, it may work well.
Conversely, a CISO who can think strategically, advise the board on how they can achieve their strategy with a well-defined risk appetite may end up adding real value to a board’s discussions, or they may clash with a board composed of much more technical profiles.
In my opinion, the best way to define this language is to ask and discuss it, and to build relationships with your counterparts. Ask the board, shareholders, and senior leadership team what their expectations are of the CISO role and how they see the CISO role supporting them, regardless of whether you have a board vote or not.
At the end of the day, the board and CISO should work together to set clear goals and expectations for the information security team. Both groups should be completely transparent with each other and should run regular ‘kaizen’ sessions (this is a Japanese term that means continuous improvement) where they talk to each other about where improvements in the working relationship can be made. “
Hayden Brooks
We would like to thank both Guillaume and Haydn for their time and answers for this article.
Guillaume Ehny
CISO at Go Henry
Strategic and innovative Chief Information Security Officer (CISO) and board-level professional, supporting and growing businesses within the security sector. I specialise in assisting FinTech companies assess security standpoints and requirements, in order to successfully align with suitable business strategies and objectives.
Haydn Brooks
CEO at Risk Ledger
A big-4 cyber risk consultant by trade, I specialise in supply-chain security. Whilst running supply chain assurance programmes on behalf of the security teams at a number of clients, I experienced the amount of pain and headaches these programmes caused my clients, their suppliers, and the individuals delivering the programme.