Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” As he is perhaps best remembered for his infamous ear-biting antics, he is unlikely to be a role model for many of today’s Chief Information Security Officers (CISOs), but the former heavyweight boxing champion does have a point. The biggest challenge faced by CISOs today is not the need to defend against known risk, but to identify the potential gaps in their own strategy. In short, to intuit what may be the ‘unknown unknowns’.
Because it is not simply a question of rolling with the punches. Like any good boxer, the CISO’s best defence is anticipation. They need to step back from individual skirmishes and establish a strategic defence from potential blows which may not even have yet been considered, even by their opponents. And the most valuable skill they can possess to facilitate this? It is not a heavyweight knowledge of the information security domain, but the ability to influence.
For while protection against known risks can, to an extent, be delegated to the wider CISO team, the senior CISO cannot dodge the essential forward-thinking leadership role required. They cannot simply oversee comprehensive risk analysis, the integration of appropriate security tools and the development of a security culture; they must also ensure that they influence in such a way that priority is given to the organisation’s defensive strategy.
So, in addition to a high level of technical expertise, a thorough understanding of the business model and an ability to mitigate risk, the CISO needs to articulate the state of information security to the company stakeholders and lead employees. They need to do this to ensure that resources are available to defend against the (as yet) unknown. And for this the CISO must possess influence; and that influence needs to be at board level.
Now few would argue with an irate Tyson but in reality his approach is not usually the best model for those wishing to exert board level influence. Influence comes from confidence – both inner confidence and the ability to engender confidence in others. If fellow board members consider the CISO to be fully informed and strategically prepared, they are more likely to listen attentively. If they feel that funding and time are requested in a pragmatic way, with no unnecessary extras, then they are more likely to allocate resources.
The VirtualCISOTM, developed by SRM to meet this need, provides CISOs with all the resources and tools necessary to fulfil their role at the highest level. But it also provides strategic guidance from a designated highly qualified industry expert with an excellent knowledge of the wider sector and a detailed knowledge of the businesses with which they are working. Through collaboration and understanding, a detailed and cost effective road map can be developed, arming the CISO with the muscle required for board level influence.