How CISOs escape the cost center trap

Leadership StrategiesLeadershipTechnology, Data, and Digital
Article Icon News Article
十一月 18, 2021
2 read
Leadership StrategiesLeadershipTechnology, Data, and Digital
These five strategies can help CISOs best communicate the value security brings to their organization.

Excerpt originally published in CSO Online by Mary K. Pratt

Russell Reynolds Associates Consultant Ahmed Jamil spoke with CSO Online on the importance of communicating value.

The increasing number and sophistication of cyberattacks have companies boosting their cybersecurity budgets—again—in the upcoming year.

PwC’s Global Digital Trust Insights Survey found that 69% of organizations expect to boost cyber spending in 2022; 26% will see their security budget up by 10% or more.

Even in this age of high-profile attacks, figures like that help perpetuate the idea of cybersecurity as a cost center. That in turn can leave CISOs at odds with their executive colleagues, and it can leave those other executive leaders frustrated and confused about the value they actually get from their cybersecurity investments.
Leading CISOs, however, have turned that reputation around even as their own security budgets rise. How did they do it? By demonstrating that security is not only critical to business success but is an enabler and a competitive advantage just as much as the digital infrastructure and data assets it protects.

There’s no one way to dispel the notion of security as purely a necessary cost, but the experts we spoke with identified five strategies that can help CISOs get others to see security as a value center.

Consider how your messaging impacts how you’re perceived

In a twist to the business maxim “You can’t manage what you don’t measure,” Ahmed Jamil, leader of the CISO practice at Russell Reynolds Associates, advocates the idea that you can’t improve what you don’t know and understand.

“Sometimes the first step is acknowledgement,” he explains. “You have to have an appreciation for how the C-suite and the board are thinking of you.”

It’s a step that takes some reflection to determine if, as the CISO, you’re viewed as a full executive partner working to shape policy and strategy—or whether security remains an afterthought and bolt-on to those.

“Think about the function. Is it reactive or proactive? How is it positioned in the organization?” Jamil says. “CISOs can get stuck in, ‘Here’s everything we’re doing to keep the organization secure in the current landscape.’ And they’ll show metrics [regarding that effort] to the board but they don’t show what’s coming. But CISOs need to put in business terms how they’re looking around the corner, how they’re being more proactive to show that security is a hub of innovation as much as, say, digital analytics.”

Access the full article here.