CISO’s biggest challenge by far is getting executive management to appreciate (and fund) what they do. This scene plays itself out time and time again across the globe in every industry:
CISO walks in to the CFO’s office and says “I need $1M to protect the company.” CFO says “How much did you spend last year?”. CISO: “Nothing.” CFO: “…and what happened?” CISO: “Nothing.” CFO: “Ok, go do that again.”
The good news is that you can beat this by changing the narrative. Stop asking for money and start asking for decisions. We all live in a continuum of risk wherein we choose to spend less money and experience more risk OR spend more money and experience less risk. Explain this to the decision makers and ask them to commit to their choice as to where they want to live on this continuum.
Choosing to save some money and experience more risk is a legitimate business decision. The failure is allowing executives to live there without making a conscious choice. CISOs are their own worst enemy when they position themselves as defenders of the organization because it lets the executives skate on accountability.
Saying the risk is owned by the business is not just a platitude. A CISO must have the ability to translate this into reality.
I’ve arranged to have this Gartner research report made available until March 5, 2013. Non Gartner clients have to register to get it, but I think most will find it worthwhile.
Gartner Report: Eight Practical Tips to Link Risk and Security to Corporate Performance
Category: Uncategorized Tags: