make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Question for the Boardroom: Is Management Involving the CISO in Strategic Business Decisions?

09/11/2018  |  By: Mark Johnson, CISSP, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Big decisions happen quickly. As a Board of Directors, you know that. Often, big decisions don’t involve key leadership within the company like the security team. This leaves them scrambling to implement controls or otherwise get up-to-speed with company changes.

This generally happens because of a simple misunderstanding. There’s a misconception that security teams are the “no” police and will do anything in their power to keep the business from making big changes.

However, the goal of a good cybersecurity team is to align itself with the goals of the business, not to say “no” whenever possible.

Here’s a simple analogy:

When asked why brakes on a car are important, most people will respond, “Because they let you stop when you need to.”

I would argue that brakes are important because they allow you to go faster than you would without them.

Imagine driving a car without brakes. You’d have to stay on flat ground and wouldn’t be able to go more than 10-15 miles per hour.

The same is true for information security controls. They don’t exist to slow your organization down, or worse—to stop it in its tracks. Your organization’s cybersecurity team exists so that your company can take bigger risks in a safer manner.

Think about it: Without security controls, your organization would hardly be able to store or process any sort of sensitive data, because it would be so readily accessible to anyone who wanted to get into your network and find it.

Security controls and the efforts of your cybersecurity team are what allow your business to function the way it does. However, your security team functions best when it can be involved in strategic business decisions—when there’s a two-way relationship established between management and the security team or the Chief Information Security Officer (CISO).

As a Board of Directors, how do you help foster that relationship at your organization? First, understand that it is the responsibility of the management team to involve the CISO in strategic decisions. Rarely will a CISO beat down the door of management to get involved in big decisions. And, even if that does happen, he or she is unlikely to find a team who understands why his or her involvement is necessary. Thus, management must take the initiative to understand the importance of the CISO role and the benefit of involving the security team in strategic decisions.

Second, it’s the responsibility of the CISO to be a good team member. What does that mean, exactly? Mainly, the CISO can’t be the “no” police. He or she can’t shut down any proposition that presents risk to the organization. It’s imperative that the CISO understands not just the propositions made by the management team but also why they are important to the business. 

If the management team proposes a strategic move that poses a moderate risk to the company’s security but could have huge financial payoff, the CISO must be willing to entertain and potentially help implement the idea. Beyond that, the CISO must understand the language of the boardroom and be able to present security concepts to management in ways that are easily understandable and accessible.

In the end, both the CISO and the management team are working toward the same goal—a better business. However, each side must do their part to ensure that the goal can be realized.

If you’re interested in more effectively involving your CISO—or information security in general—in strategic business decisions, click here to contact us, and learn how LBMC Information Security can help.

This blog is the second in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.

Posted in: Security Consulting