Blog

Cybersecurity Leaders: Think in Business Terms

Aug 06, 2021

EDU-PDI-EXP-m2t03_handshake_P9EWTYJ-1080x741-image-20200310 The vast majority of cybersecurity chiefs (93%) do not report to the CEO, according to a recently published report . As a result, a lack of communication between the C-suite and cybersecurity leaders keeps top executives largely in the dark about their organizations’ cybersecurity risks and overall security posture.

The report, published by LogRhythm and based on research by the Ponemon Institute , polled 1,426 security and technology leaders. “On average, respondents are three levels away from the CEO, which makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization,” the report says.

Company executives aren’t as focused on security as they should be, instead letting security leaders shoulder most of the burden for protecting the organization. Since they don’t have enough influence with top executives, security leaders struggle to achieve a strong security posture customized to their organizational needs. 

Business leaders tend to focus on other areas, such as building a skilled workforce, improving the corporate culture and refining the customer experience. “The importance of having people, process and technologies in place to proactively prevent and detect attacks from hackers, malicious insiders as well as negligent insiders is often being overlooked by the CEO and the board of directors.”

The Business Approach

It’s clear those in charge of cybersecurity need a stronger voice in the C-suite and board of directors. To be heard, security leaders must think in business terms so they can more effectively explain cyber risks from an organizational perspective. There’s a tendency to focus on the blocking and tackling without concentrating enough on lobbying to top executives.

To change this paradigm, the report makes several recommendations to elevate the role of cybersecurity leaders:

  • In communications with business leaders, frame the protections in place for important data assets such as intellectual property and customer records in a business context, not in a way that negatively impacts business goals and operations.
  • Recommend concrete actions to address any existing gaps in the company’s cybersecurity defenses.
  • Ensure there is an incident response plan (IRP) in place and that the CEO and directors understand the importance of preparedness.
  • Persistently discuss cybersecurity needs and explain “the financial, regulatory and reputational quantifiable and qualitative consequences of a security incident.”

The Importance of a CISO

The importance of addressing cybersecurity needs in business terms cannot be stressed enough—this approach underpins the business value of the CISO role. According to an (ISC)² survey , 86% of organizations that appropriately staff cybersecurity jobs and are prepared to defend against cybersecurity threats employ a CISO.

The (ISC)² study also reveals that organizations that properly utilize and empower a CISO find they can contribute to a strong cybersecurity culture. These CISOs also have the power to influence change and make cybersecurity a strategic business priority as 43% report directly to the CEO and 14% report to the Board of Directors. As a result, leadership understands the importance of strong security practices and reinforces those practices.