There are five key reasons for CEOs to include CISOs in what I would call strategic planning - thinking about long-term, mission-critical goals and global processes.
In this series of columns, I’m reviewing and commenting on ideas in A Seat at the Table for CEOs and CSOs: Driving Profits, Corporate Performance & Business Agility by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek.
The authors’ Chapter 1 is entitled “Why?” They start with five key reasons for CEOs to include CISOs in what I would call strategic planning (thinking about long-term, mission-critical goals and global processes). Each reason has explanations from the authors, but it’s worth simply listing them to give readers a sense of the issues (quoting directly):
1. Because to every CEO there are no competing business priorities to revenues and profitability.
2. Because in today’s global economy, it’s innovate or perish.
3. Because it makes good business sense.
4. Because CEOs have arrived at the same near-paralyzing epiphany. [i.e., the realization that “…companies simply can’t continue operating under the same business security model.”]
5. Because “insanity is doing the same thing over and over, and expecting a different result.” – Albert Einstein
Bassett and Rothman propose that “Security today has become a reverse salient – a growth inhibitor or a system component that has fallen behind in the evolutionary process of technological innovation.” They argue that it’s time to bring security into the forefront of strategic planning. They point out that in a 2006 study of “100 of the most innovative companies,” “more than 95% of CSOs [chief security officers] or CIOs [chief information officers] report directly to the CEO or to a senior vice president who reports directly to the CEO and plays a significant role in strategic planning.”
On a personal note, I and many other security management specialists have long argued that the CISO must not report to the CIO any more than the head of financial audit should report to the CFO. CISOs and auditors should not have a conflict of interest by reporting to the people whose management they ultimately evaluate on behalf of all the stakeholders in the organization.
Bassett and Rothman’s key points about the optimal strategic orientation of CISOs and CEOs include the following practical suggestions (these are my own interpretations of just a few of their insights - readers would do well to read the original):
* Security breaches are key indicators of broken business processes, not simply technical glitches.
* Every security incident brings to light a potential for improving business profitability through process improvement.
* CISOs must understand – in detail – the business objectives of each sector of the organization they are protecting. A good way to start is by listening carefully to sector managers one-on-one.
* CISOs can also serve as internal consultants to the strategic planning committees, offering ideas on how improved security can increase the value of services as well as offering technical perspectives that can improve profitability.
* Marketing departments can be taught to regard the masses of customer and prospect data as goldmines of potentially valuable knowledge (as opposed to merely information) with the help of the CISO, who can sometimes replace expensive external consultants while simultaneously ensuring the security of these proprietary data. Exerting control over marketing data can support a competitive edge over competitors.
* Integrating the CISO’s knowledge and imagination fosters useful innovation; without integrating security into new initiatives from the start, organizations risk falling into disasters like those that are in newspapers every week.
More from Bassett and Rothman’s excellent book in the third and final column in this short series.