Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Suzie Smibert, CISO at Finning International, proclaims the CISO “needs to be a business leader more than a technical leader.” We couldn’t agree more with Suzie. She paints the picture of a CISO walking into a new role, dealing with a crushing amount of data, and assuming control over a highly technical operation. In this scenario, CISOs don’t have the resources to use all the tools they have effectively, yet new tools are always coming to market. Suzie’s advice—simplify. Business leaders need to be able to articulate the business value of their initiatives and how they align with, and support, the strategy of the organization. After doing this exercise, it is much easier, Suzie explains, to narrow down priorities and present them to the Board.
Quantification of risk must be done in order to make business-driven decisions. Suzie highlights that her board is not concerned with how many viruses were thwarted but is immensely interested in how her program supports strategic objectives as an organization. Therefore, a CISO needs to take on more of a business-focused role in addition to their technical role in order to effectively present ideas to the board.
Suzie calls upon cybersecurity leaders to stop thinking of themselves as cybersecurity utility providers and start thinking of themselves as business leaders with security expertise.
- Eventually the CISO will have to go before the board and make the case for an investment. That’s when the CISO needs to be more of a business leader than a technology leader.
- A financial group within the company can help show if a security expenditure is going to have a direct positive impact on shareholder value.
Interested in reading more blog responses to our ebook? Check out our reflection on Surinder Lall’s entry here.