Why CISOs must understand the business
Table of Contents
While CISOs require technical skills, they also need business skills to push their agenda and secure the funding and support they need.
By Isabella Harford, TechTarget
When you hear the term CISO, you immediately think of the person responsible for a company’s cyber- and data security strategy. The CISO’s role involves keeping the organization afloat. Without the proper planning, a data breach could lead to financial and reputational damage that could cause an organization’s collapse.
However, many CISOs struggle to get support from their colleagues, board members, and C-level professionals.
Erdal Ozkaya, author Cybersecurity Leadership Demystified, said, “If you are a nerd that can’t talk about business, they won’t take you seriously.”
Ozkaya provides tips for CISOs about how to balance technical and business aspects of their role as CISOs. He also offers advice on how to communicate cybersecurity at both a senior and operational level. Ozkaya also provides guidance on how to build a successful security organization, implement effective security operations practices, work with HR, and create an incident response plan.
Ozkaya, the author of 16 infosec books and cybersecurity books, discusses the importance for CISOs to understand business strategies and explains why CISOs must build relationships with other departments in order to be successful.
Editor’s Note: This text has been edited to be more concise and clear.
Who should read your book
Erdal Ozkaya: This book will be of benefit to both CISOs who are trying to get there and new comers. As a security advisor at Microsoft I met many CISOs that weren’t from the cybersecurity field. They were searching for advice but couldn’t find any book that would cover all their needs. This is what I tried to do with Cybersecurity Leadership Demystified.
Ozkaya: For people who are in the industry and those who aren’t, I will answer both.
People who work in the industry are often nerds, computer geeks, or gurus. They enjoy programming, conducting penetration tests, and minimizing communication. However, in a C-level role, you must be able to talk about security with people who don’t understand technology. CISOs today must be able to understand technology and business. This is also true for those who are not from the industry. You’d be surprised at the number of CISOs who have previously worked in product management or marketing. These individuals may have business experience but they still need to be able to understand technology. CISOs need to understand cybersecurity’s core values so that they can design the best defense mechanisms.
What departments and teams should CISOs prioritise partnering with?
Ozkaya: CISOs need to work with all departments. However, not all departments are equal in cybersecurity. For example, the cleaning department cannot help with computer viruses. This requires the assistance of the incident response team.
It doesn’t matter if you get hacked, it’s about when. Get ready to get your business back online as soon and as quickly as possible.
Begin by working with the incident response team.
A second option is to have a security operations team who can monitor the network.
Third, you should have a red-and-blue team. These internal ethical hackers are able to spot vulnerabilities.
The only difference between hackers and the red team is that the hackers will metaphorically break into your home, open your safe, and leave a Postit note.