The New CISO: Demonstrating Your Value of Your Program to the Layperson

Many businesses fail to understand the business value of cybersecurity and only realize it once a breach has already occurred. How can a CISO demonstrate value to the organization without making false guarantees? In this episode of The New CISO Podcast, Andrew Obadiaru, CISO and Head of IT at Cobalt, shared advice and tips for CISOs, as well as how to respond to some of the most difficult questions that may arise. 

Challenges in perspective

Some of the main challenges within the industry are how cybersecurity departments must prove their worth to their own company. As cybercrimes can happen due to anyone’s actions within an organization, it’s especially important to convey the purpose of the department. Andrew mentions, “If people don’t see value in what you’re bringing because you are not able to demonstrate that in real time, or there’s no KPIs or stats you can use to demonstrate value add, the CISO must go the extra mile to be able to make that case on a consistent basis.” Andrew believes that if you can point to related data points such as how cybersecurity impacts the ROI, then you can properly convince others of its value.

Building connections

When selling the idea of cybersecurity to the rest of an organization, Andrew says to lean on soft skills. Learn the right balance between technical and business language to express yourself when talking to executives. Andrew encourages CISOs to focus on understanding concepts and get into the more technical details only if asked. 

Andrew says, “You have to know how to engage, how to build relationships, and how to make security be relevant to all these other business units.” 

Prior to entering a budgeting meeting, it’s important to have allies on your side. This doesn’t mean just someone who you ask to back you before the meeting begins. Andrew mentions that building connections and creating allies can take weeks or even months. These relationships should help you convey to leaders how cybersecurity will impact their departments. This ensures that when asking for a larger budget and explaining why, the other department heads will understand the relevance and be more likely to back you.

Budgeting meetings

When entering budgeting meetings, your approach must be different than it is for other topics. Andrew suggests that you ask yourself the following questions: “What needs to be protected as part of your day-to-day business operation? How critical are these crown jewels (your data, your systems, your devices, the things your organization needs to function)? How protected are these crown jewels? If they’re not sufficiently protected or your budget discussion is around these crown jewels, then it makes it a lot easier for you to be able to convey that message.”

Andrew also states, “You also want to be able to understand the security risk to the organization, whether it is losing the competitive edge or market share, reputation, or financial losses.” 

When you can figure out what’s valued within the company and how well — or not well — it’s protected, then you can properly convey what you need. Andrew stresses the importance of knowing your audience and their level of know-how relative to the topics you’re looking to speak on. That will help manage the level of details you want to demonstrate. Technical knowledge is important at times. 

If you’re entering a routine optics meeting, you want to outline the current threats that the industry or competitors have seen, and discuss how you plan to mitigate those.

Maturity vs. efficacy

Andrew differentiates a mature organization from an effective one. A mature organization may have a lot of documentation, repeatable steps, and other solid processes. However, maturity within an organization doesn’t always point to how effective they are in a crisis because the organization can become complacent. For example, Andrew says, “An incident response plan: The matter of fact that you have a complete or mature document does not necessarily point to the efficacy of that process. For me, you have to find a way to test that efficacy separately from what you may consider a mature process.” 

It is not enough to say, “We built a document and got it signed by all the key stakeholders, so this is a mature process.” You need to be able to test that separately to ensure that what you have in place is consistent with an efficient process, and that everyone understands their roles and responsibilities.

“Are we secure?”

Oftentimes, the CEO or other execs will ask “are we secure, now?” If asked this question in an interview, Andrew explains how sharing a plan of action may be the most impactful answer, such as “‘I don’t know enough to be able to give you that, but once I come on board as part of my 90 days, I’ll be able to give you a definitive view of what I think we can do to put ourselves in that position. But for me to speculate right now, it would not be the appropriate thing to do.’”

Overall, Andrew encourages CISOs to never rush to answer any question. You don’t need to prove how intelligent you are by answering quickly — instead, it’s more important to answer correctly.

Advice for the younger self

Andrew shares career advice he would tell his younger self, saying, “Be measured. Evaluate the organization and make the right decision.”

The CISO is an important role with great responsibility. They must be clear when communicating to others within the organization about risk, create connections within the organization, and ensure they are truthful and careful when answering questions.

To learn more about demonstrating the value of your cybersecurity program, listen to the full episode or read the transcript.