Mind the Gap! CISOs, C-Suite and the communication chasm
With the rise of the CISO role in the last couple of decades, and its ongoing evolution, the communication gap between CISOs and the C-Suite presents an ever-pressing challenge.
Improving internal communications has, and will always be, a priority for organisations of all sizes and specialisms, particularly as new and developing business functions demand new internal structures and job titles. With the rise of the CISO role in the last couple of decades, and its ongoing evolution, the communication gap between CISOs and the C-Suite presents an ever-pressing challenge.
What I’ve seen working with organisations of all kinds, is that there’s a clear and palpable disconnect between the business and tech side in many businesses today. It’s a gap that, without a fundamental overhaul of planning and strategy, will remain unbridgeable. The problem here is an absence of understanding on both sides. From the IT side, it’s a challenge to communicate the risks and potential impacts of technical, complex and jargon-heavy issues, particularly when there’s no seemingly apparent effect on the day-to-day running of the business. From the business and financial side, conceptualising how IT and security issues fit into business strategy often with a tight budget, and conveying this to an IT team who may have no financial background, presents its own unique difficulties.
Of course, it’s an understandable dilemma.
How could a leadership team, lacking in technical understanding and sufficient contextual background, objectively weigh up spending, say, £25,000 on email security when the promise of a new marketing campaign could net millions for the same cost? From a bottom line perspective, the marketing campaign will likely win out. What’s important to consider however, is that same marketing campaign relies on successful email communications, making effective email security paramount. When considered alongside the potentially catastrophic reputational and financial damage of an email-based cyber attack, the security investment appears closer towards tipping the scales.
Communicating the business case for security to the C-Suite can be additionally challenging in the context of a knowledge gap within the IT department itself. Increasingly, we’re seeing instances of CIOs and IT managers in organisations who don’t have a technical background, thereby increasing the knowledge and communication gaps between the CISO and decision makers further. Up against the CFO, the CIO often doesn’t have the technical know-how to be able to educate on the business need for IT security solutions. With CISOs generally reporting to the CIO, and not directly into the C-Suite, the needs of the CISO face a twofold risk in not getting communicated to the purse-string guardian. With a seat at the management table, CISOs are granted a direct stream of influence to educate those making budgetary decisions on the need for effective cyber protections.
Wth experts being overridden by those with power and pockets, and projects coming to a standstill because IT and business priorities are at loggerheads, it’s the company as a whole that loses out. Without proper cyber protections in place to secure a company from all sides, the company remains at risk of irrevocable damage to both the business and its finances.
So, what’s the solution?
One option is to empower the IT side to report directly into the C-Suite, so that the person making information security decisions for the business has decision-making power in line with their expertise. The data privacy officer, the heads of information security and compliance, these are the roles with the expertise required to make business decisions around cybersecurity; they need to be empowered to hold purchasing authority. Another option is to introduce new hires to the business. Whether for new or existing roles, those who understand the tech side as well as the business side will be key in bridging the gap by virtue of their knowledge, and also in a unique position to minimise the communication chasm between IT teams and the C-Suite execs.
Ultimately though, this isn’t just a question of CISOs and the C-Suite. With the increasing digitisation of all aspects of business and in light of the impending GDPR, the need for breaking down the barriers to IT and tech is a pressing issue for the business as a whole. It’s now pivotal that everyone in the organisation understands the implications of communicating with customers and managing their data. The CMO needs to become au fait with the tech, so that they can effectively and securely navigate marketing campaigns, for example. In order to help the whole company progress through GDPR and beyond, a concerted to better understand and communicate about tech is required from all areas of the business, and hiring new C-Suite execs with technical competency, will only serve to benefit the organisation in the long-run.
All of these options require internal buy-in, negotiation and a change in organisational mindset and implementing these changes may be lengthy and complex, but ultimately will prove the best way to safeguard the organisation and its employees from costly breaches and cyber attacks.
