Looking back, the first half of 2024 has been tumultuous, with high-profile cyber-threats targeting businesses across all industries. In the face of these attacks, according to recent research conducted by Netskope, over half (57%) of chief information security officers (CISOs) report they have increased their cyber risk appetites.
However, CISOs don’t feel that this growth in confidence is reciprocated by their chief executives: a third see their CEOs as much more risk averse than themselves, and 92% of CISOs report that differing attitudes to risk cause tension with the wider C-suite.
This points to a clear imperative. CISOs need to ensure that their communication uses shared terminology: sharing examples within the context of business outcomes (for example, revenue, key results or business growth). Without this, they will never be able to bring their executive peers on a journey to a position of confidence in the organisation’s security approach and the way it helps contribute to the business objectives, enabling growth and innovation.
In short, a business that is too risk averse will not have the confidence to innovate or grow, but the CISO must be able to communicate this, and not fixate on promoting specific technical actions.
Balancing cyber risks
Businesses manage a series of balancing acts every day—between innovation and reliability, for instance, and between investment and profit, speed and security. Each leader contributes to the weighting of decisions about risk, and traditionally, as the chief protector of a business’s information assets, CISOs have been expected to operate at one end of that scale. But this role is evolving.
For the past decade, CISOs have been gradually adapting their roles as business has become increasingly digitised and data driven. CISOs are no longer limited to back office support functions but have stepped forward to take their place alongside their peers with the executive team in broader business discussions and risk decision-making. The information that CISOs work to protect sits at the heart of business innovation projects, and therefore they hold the keys to drive (or inhibit) that innovation.
However, our research found that two in three CISOs (65%) believe that other members of the C-suite still do not see that the CISO role makes innovation possible. So how can chief information security officers ease CEOs’ concerns—and the concerns of their peers—around cyber risks, and help the wider organisation to see them as true business enablers?
Embed security across the business
For CISOs to build CEO and broader board comfort with cyber risks, they must take the time to address their reservations. This is possible by improving the board’s understanding of the threat landscape and how it relates to their business, establishing agreed margins for risk tolerance and outlining the measures the CISO has taken to protect the lifeblood of modern business: data.
A common struggle is tangibly demonstrating the value cybersecurity has to grow the bottom line. To overcome this, CISOs should reframe the issue and ask their fellow C-suite members: how could you drive consistent revenue if uncontrolled risks were allowed to hamstring the business?
It’s not only the board and executive teams: CISOs should proactively build relationships with all departments across the organisation to understand their priorities and business goals to identify how security can help deliver against them. This is about moving from solely managing risk to also supporting business enablement. By creating links across the business, CISOs can shift from an entirely defensive role of ‘protector’ and become more progressive, proactive and permissive.
Build confidence through strategy, not tactics
When speaking with the CEO about a security posture, CISOs too often find themselves having tactical rather than strategic conversations. According to 58% of CISOs, their executive teams and boards are asking about zero trust.
So what is zero trust? It’s a security model based on the premise that no one is blindly trusted and allowed to access company assets without constant and granular validation, and it is a popular trend that has gathered awareness among non-technical senior stakeholders (probably as a result of US and UK government edicts extolling the virtues and import of the approach).
It is positive to see fellow executives engaging with the organisation’s cybersecurity infrastructure and over half of CISOs (55%) believe a zero trust approach will enable them to balance conflicting priorities better. CISOs must embrace and nurture this interest in zero trust from colleagues and use it as a starting point to map out the options available to them and build out a long-term vision for the organisation’s security posture that supports the business needs.
The trust paradox
Both the CISO role and the zero trust model must balance an inherent contradiction. It can seem counterintuitive to say that a CISO can increase an organisation’s flexibility and speed overall when the external perception is that their focus is on imposing more controls.
But, in reality, CISOs can help their C-suite peers more quickly and flexibly acquire new revenues, drive efficiencies and navigate regulatory requirements precisely because the CISO has ensured that the business is secure. CISOs who can communicate to their CEOs what they are contributing to business growth in this way will be the ones most recognised as valuable contributors, and who have the most success in shifting CEO attitudes to risk overall.
In short, an effective, modern CISO should be able to demonstrate how they are managing risks to the organisation’s most valuable asset—data—and allowing their CEO and fellow executives the space to take calculated risks and innovate.
Over the past decade, the role of CISOs has changed significantly. They increasingly aspire to be seen as advisers and enablers to their CEO and executive team. In this volatile cyber environment, CISOs are growing in confidence, as they become the cool head in the room that helps reassure their fellow C-suite peers and build the conditions they need for the business to flourish.
James Robinson is chief information security officer at Netskope