She Said/We Said: Professional Impact And Cybersecurity Program Leadership

We have had multiple posts on creating impact as a CISO or an IT professional. Ultimately you won't get the impact you need to have, and professionally want to have, unless you get the attention and trust of higher-level leadership. Not having impact means you won't get the funding you need for systems or professional development, and your career may stall.

We keep up with other professionals in cybersecurity, and this recent post by Ashley Rose caught our attention. Here is a part of her post that we whole-heartedly endorse, and she says it well:

[M]any chief information security officers (CISOs) still find themselves speaking a technical language that fails to resonate with other leaders. Technical terms often fall flat in boardrooms more concerned with revenue growth and brand reputation. This disconnect is becoming increasingly risky as cyber incidents now directly affect stock prices, customer trust, and executive job security. Plus, boards are being held accountable and personally liable for cyber-risks. CISOs can no longer afford to communicate in technical silos; they must create strategic partners, clearly connecting cybersecurity to business outcomes and informing board members of their fiduciary responsibilities.

Boom.

A key term is "strategic partners." You have a lot going on as a CISO or CIO. It's a good sign that you got the job, and now you need to deliver. You have plans. You have staff. You have needs to develop yourself. You have an entire company of people who need to know what to do. It's a lot.

An adage in behavioral science is that you get hired for your skills and fired for your personality. In other words, the hiring committee thought your resume was the best they reviewed. But your supervisors, over about 6-12 months, may think you're not worth the trouble.

You're not going to get your cybersecurity program done, as Ashley alludes to, without top-cover from Board and executive leadership. And oh by the way your program is not one of their top-five priorities unless they think it costs too much given that "nothing happened."

If you cannot get them to see cybersecurity risk management as a strategic priority, you're going to be miserable and ineffective.

Read Ashley's post. Read our posts. Then ask us how we can help you create and lead a more effective cybersecurity program.