Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Download CV Contact Me
Blog Post

From Cyber Guardian to Boardroom Luminary – Yogi Berra

March 5, 2024 Blog Educational Series - Stop the Cyber Bleeding | Putting ECRM into Action, Board and CISO Interaction – Best Practices, Governance, Strategy, and Alignment by Bob Chaput
From Cyber Guardian to Boardroom Luminary – Yogi Berra

From Cyber Guardian to Boardroom Luminary – Yogi Berra

It’s like deja-vu, all over again.

—Yogi Berra[1]

Introduction

I recently delivered the keynote at an ISC2 Spotlight event focused on Governance, Risk Management, and Compliance (GRC). The title of my talk was From Cyber Guardian to Boardroom Luminary: The Journey. The discussion was about a “call to arms” for CISOs and their teams to start to change their thinking about ECRM and Cybersecurity and was based, in part, on my book, Enterprise Cyber Risk Management as A Value Creator.  

In the session, I unpacked the title and shared several critical points for CISOs and their teams, including:

  • It’s time for a change in thinking to emphasize cyber opportunities.
  • To do so, we need to engage the C-suite and Board better.
  • To do that, we need to connect to what they most care about (Strategy, Risk Management, Talent Management)
  • To do that, we must first start expertly executing cyber risk management to earn trust and credibility.
  • Then, we can pivot to cyber opportunity management.

Learning Objectives and Subject of this Article

I set forth the following learning objectives for the session, and this article will focus on two:

  1. Describe the need to evolve and elevate the CISO’s and security team’s role.
  2. Cite and explain the board’s three primary responsibilities.
  3. Explain the difference between managing cyber risks and leveraging cyber opportunities.
  4. Define enterprise cyber risk management (ECRM).
  5. Cite ways to drive growth, enable business value, and create competitive advantage.
  6. List five critical capabilities to establish a robust ECRM Program and Cybersecurity Strategy.

In this article, I focus on two of those learning objectives: the need to evolve and elevate the CISO’s and security team’s role, and I tie that into the new CISO leadership organizations need to have in place to develop five critical capabilities to establish a robust ECRM Program and Cybersecurity Strategy.

In future articles, I will take up the other learning objectives.

First, A Reality Check – It’s Not Working

Whoever said it and exactly how they said it aside, the definition of insanity is often cited as “doing the same thing over and over and getting the same result but expecting a different one.”[2] Not many organizations can say that their Enterprise Cyber Risk Management (ECRM) Program and Cybersecurity Strategy are effective. Yet, most organizations in most industries continue to do the same thing repeatedly, including:

  • Investing in shiny new tools without appropriate prioritization.
  • Failing to conduct comprehensive, ongoing enterprise-wide risk and opportunity assessments.
  • Relying too much on control checklists and chasing the threats, vulnerabilities, and controls du jour.
  • Emphasizing too little on filling cyber risk management positions and too much on cybersecurity operations, architecture, and engineering jobs.
  • Treating ECRM and cybersecurity as a tactical, technical, spot-welding exercise.

The Invitation

At this point, almost everyone has seen the cartoon shown at the beginning of this article. Yes, CISOs worldwide are invited to the big kids’ table. But are they ready? Do they possess the right skills, knowledge, and experiences to be there?

CISOs being invited to the table means everyone on the security team is invited. Therefore, the whole team needs to evolve and elevate its role. You must align with, connect to, and do more to support your organization’s strategy. For me, it’s like Yogi said, “It’s like deja-vu all over again.” “Heads up,” CISOs and teams. What is happening to the role of CISO and the security organization is analogous to what happened to the CIO role and the information technology (IT) function over the last four decades.

The CIO Journey

It all started with the seminal article published in 1985 by Michael E. Porter and Victor E. Millar entitled “How Information Gives You Competitive Advantage.”[3] Throughout my business career, which started in the late 1970s, I watched the name of function change from data processing (DP) to electronic data processing (EDP) to information systems (IS) to information services (still IS) to management information services (MIS) to information technology (IT) to business technology (BT), etc.

The name changes were illustrative of the elevation of the importance of the work. Along with these name changes, the work changed from tactical and technical to strategic and more business-focused. As a member of the corporate CIO’s team in both GE and Johnson & Johnson, I participated in the replacement of dozens of tactical managers and directors to strategic VPs. Otherwise, honest, hard-working operational and tactical IT managers were not up to the responsibilities of the elevation role of CIO. Call it gallows humor, the expression for those initially replaced and those who tried to assume the new responsibilities and failed was that CIO meant “Career is Over.”

Recent research published by the MIT Center for Information Systems Research (CISR) underscores how the CIO role has changed, stating that information technology units are more important than ever to building a company’s success while citing how leveraging four key capabilities can result in higher profitability of as much as 24% greater than competitors.[4] Another example underscoring the change is a recent article that discusses how the role of the Chief Information Officer has evolved from focusing on system uptime to driving efficiency to generating revenue.[5]

Two quick points in case they didn’t already jump off the page. First, none of the changes to and elevation of the CIO role would be possible without a robust ECRM Program and Cybersecurity Strategy. Second, analogous changes are underway for the CISO role.

The CISO Journey – From Cyber Guardian to Boardroom Luminary

The CISO role must evolve, and many people in these roles must change. 

The graphic on the left highlights some of the changes that are already required of CISOs. This short list implies the need for CISOs who are leaders and influencers capable of facilitating a major transformational program.

With these significant changes and the continued, seemingly never-ending increase in attacks and cybersecurity failures, CISO may mean “Career is Seriously Over” for many unprepared CISOs. There are significant parallels between the evolution of the two roles, CIO and CISO. Many security responsibilities fell under the manager or director of infrastructure without acknowledgment of a separate, specialized role.

Replacements of CISOs have happened similarly to CIOs over the previous decades. Some current CISOs will make the transition; many will not. The CISO role must evolve, grow, and adapt for the role to be a meaningful one at the table.

The New CISO Responsibilities

As I discuss at length in both Stop the Cyber Bleeding and Enterprise Cyber Risk Management as A Value Creator, establishing, implementing, and maturing your ECRM Program and Cybersecurity Strategy is transformational and strategic. As a CISO, you must work with the C-suite and Board to facilitate the development of the five essential capabilities shown in the image below, just as you would for any other transformational and strategic program.

In Chapter 13 of Enterprise Cyber Risk Management as A Value Creator, I provide ten recommended bite-size implementation steps to get you started developing these capabilities. I will cover these further in upcoming articles.

Conclusion

As I outlined in the introduction, it’s time for a change in your thinking to emphasize cyber opportunities and participation in higher-quality engagement with your C-suite and Board to make a direct connection with their top responsibilities (i.e., Strategy, Risk Management, Talent Management.) To do that, you must first start expertly executing cyber risk management to earn trust and credibility. Only then can you pivot to cyber opportunity management.

For any changes described in the paragraph above to happen, individuals with new skills, knowledge, and experience must take on CISO assignments. These new leaders must be relationship builders with business savvy who can inspire the transformation from controls-focused to risk-based, tactical to strategic, technical to business-oriented, and from today’s spot-welding approaches to a more architectural design.

In future articles, I will explore these ideas further, including the new attributes required of today’s CISOs.

Endnotes

[1] BrainyQuote. “It’s like deja-vu, all over again.” (n.d.) Accessed Apr. 20, 2023. Available at https://www.brainyquote.com/quotes/yogi_berra_135233

[2] Albert Einstein. “The definition of insanity is doing the same thing over and over and expecting different results.” May 29, 2017. Accessed March 4, 2024. Available at https://professorbuzzkill.com/2017/05/29/einstein-insanity-qnq/

[3] Porter, Michael E. and Millar, Victor E. Harvard Business Review Magazine. “How Information Gives You Competitive Advantage.” July 1985. Accessed April 6, 2023. Available at https://hbr.org/1985/07/how-information-gives-you-competitive-advantage

[4] Woerner, Stephanie L. and Weill, Peter. MIT Center for Information Systems Research (CISR). “Companies with a digitally savvy IT unit perform better.” March 12, 2019. Accessed April 20, 2023. Available at https://cisr.mit.edu/publication/2019_0301_ITUnitDigitalSavvy_WoernerWeill

[5] Pratt, Mary K. CIO. “The rise of the revenue-generating CIO.” October 24, 2022. Accessed September 17, 2023. Available at https://www.cio.com/article/410237/the-rise-of-the-revenue-generating-cio.html

Taggs:
Copy link
CopyCopied
Powered by Social Snap