Don’t be THAT CISO!!!

Hello, everyone. Rock here. I want to speak with you today about the number one rule in being seen as a business leader versus just a cybersecurity leader. That is you have to understand how your organizations actually make money. Shocking, I know.

Imagine that you finally get an opportunity to present to your board of directors as a Chief Information Security Officer.

Now, imagine after your grand presentation around vulnerabilities, and threats, and incidents, and KPIs, and KRIs that you start getting peppered with questions.

Now, imagine after a few minutes that the chair of the audit committee speaks up and asks you, to explain to them in your own words, how the organization actually makes money.

Now, imagine a very awkward silence as you fumble around in your head for answers that you just don't have. At best, this completely discredits you as a business leader moving forward. At worst, this becomes a resume generating event.  

DON’T BE THAT CISO!!! The one that runs a cybersecurity program in a vacuum without understanding how cybersecurity impacts the business. It is impossible to tie cybersecurity initiatives to business outcomes without fundamentally understanding how the organization makes money. 

There are two immutable laws to business:

  1. Organizations will generate and grow revenue.

  2. Organizations will reduce and optimize their costs.  

I would argue that a third law is about to be placed on the books around corporate social responsibility. At any rate, as cybersecurity leaders, it is imperative that we understand how our organizations adhere to these two, maybe three, laws.  

If you work for a publicly held company, when was the last time you pulled up their 10-Q or 10-K filings with the Securities and Exchange Commission, or the last time you pulled up their financial statements, like the income statement, or the balance sheet, or a statement of cash flows? If you work for a privately held company, when was the last time that you reached out and bought someone from the finance team or a revenue generating business unit a lunch or a coffee, as virtual as that may be right now? 

The reality is that cybersecurity doesn't generate revenue in most organizations. As cybersecurity leaders, we are constantly battling for visibility and a budget. We have spent this entire century pounding our fists and SCREAMING that cybersecurity needs to have a seat at the table, but yet as a profession, we haven't learned our lesson that raging on about technical risks just doesn't work.  

Since many of you watching this video right now may have kids doing online schooling, I'm going to give you the opportunity to join them. That's right. I'm giving you homework. I challenge you to pull up your company's latest 10-Q or 10-K filings or their financial statements, or if you work for a privately held company, to do the same for a competitor in your market that is public. I challenge you to compile your questions and then reach out to the finance team or a revenue generating business unit to have a conversation and get those questions answered. You don't need an MBA to get a seat at the table!

Previous
Previous

The Board Cyber Risk Oversight Problem

Next
Next

Let’s Talk About Risk