In August 2019, Bloomberg published an article that talked about the challenges of retaining a Chief Information Security Officer (CISO), and the ongoing search to fill open cybersecurity roles. Good people are hard to find and expensive. This perpetuates the myth that cybersecurity does not create value for a company, but is simply a cost that must be endured to meet regulation or to avoid a potential loss.
Organizations that buy into this myth will eventually pay for their shortsightedness. When cybersecurity is viewed as a method of cost-avoidance rather than a deeply ingrained part of organizational culture, cybersecurity will eventually break down. In such an organization, when cost-avoidant cybersecurity works well, it begins to fail. What happens when there’s no breach, no fines, and no lawsuits? Normalcy bias kicks in, which is the flawed belief that because nothing bad has happened, nothing bad will happen. Budgets are trimmed and then a breach eventually, inevitably, occurs.
But not all organizations are fooled by this myth. There are many companies that recognize cost avoidance alone demands a world-class CISO and cybersecurity team. And then there are those that also realize a good CISO, with his or her unique view across departments and diverse skill set, creates a cost-benefit.
The CISO is a bridge between information technology and the people in an organization. A good CISO understands details like contracts and regulations, all while championing the organization’s vision across departments. They make sure that the business’s long-term strategies are part of the technical team’s goals, while also ensuring that the leadership, legal, and financial teams understand risk holistically so that forthcoming privacy regulation and looming cybersecurity threats are factored into next year’s growth plans.
When you look at what a CISO does in non-technical terms, you can see that they allow the organization to grow, operate, and innovate anywhere in the world, by stamping out risk and uncertainty and making security part of a company’s cultural DNA.
Relying on a CISO’s insight can make your business better. For example – who else will advocate for data masking (protecting data while making it functionally usable), or encryption? When used together, not only do you lower your risk of a data breach, but you free up your organization’s data for use in other areas. Data analysis without exposing personal information allows new insights to be unlocked. Cybersecurity done right isn’t just a value add. It fosters innovation. It’s the catalyst for growth. It’s an enabler of change.
For example, Wired published an article where a researcher had to order multiple adult toys for work and ended up ruining her e-commerce shopping recommendations. If the site had implemented the “Right to be Forgotten” (the ability for a consumer to delete certain pieces of data in a company’s possession), then this researcher could have removed those purchases and received recommendations for items of value to her. At scale, this can lead to increased sales and improved reputation.
How does an organization take advantage of the value a CISO creates? The answer is simple: Find the best CISO and don’t let them go. Empower them to build cybersecurity into every part of your organization. Their actions will drive growth. Embrace cybersecurity as part of your organization’s cultural DNA. Let them help you use the data you have ethically, with innovations like AI, to maximize value.
World-class organizations embrace the value of the CISO. They enable the organization to use the information they need. They enable the secure deployment of the devices their customers demand. They allow safe access to information in the geographies where organizations need to operate. They analyze information without putting your customer’s personal information at risk.
The choice is clear. View your CISO as an investment, and expect a return of 10x, 15x, or even 50x their salary.
It is time to invest in a CISO and the benefits they bring to the organization.
About Stephen Gilmer
Stephen Gilmer is a Certified Chief Information Security Officer (C|CISO) with more than 25 years of experience as a technical expert and executive leader focused on securing technology companies’ most sensitive and valuable data and systems. Stephen previously was in-house CISO at both a biotechnology startup and at two Fortune 10 aerospace, defense, and technology companies. In these roles, Stephen designed and implemented sensitive data and IP security control programs; shaped policy at the national level and security framework formation; and proactively resolved complex investigation, audit, and regulatory oversight issues.
Stephen is a Six Sigma Black Belt who led the transition of the IT infrastructure of a private start-up to address the regulatory and operational requirements of becoming a publicly-traded company. As a CISO executive in an aerospace defense company subject to a consent agreement with the United States Government, Stephen also led global cyber investigations, risk analysis, engagement, and mitigation controls necessary for the organization to successfully navigate oversight requirements and re-establish credibility with Government customers. Concurrently, Stephen built and led the cybersecurity components required to support winning and executing multi-billion dollar government contracts.
Stephen frequently speaks at global cybersecurity conferences, publishes articles on the business necessity of proactive cyber risk management, and advises on and conducts cybersecurity education/training for corporate leadership including the Board of Directors, the C-Suite and Compliance Officers. Stephen Gilmer on LinkedIn https://www.linkedin.com/in/stephengilmer/.