Improving business efficiency: the role of the CISO

In the past, the CISO was often the one to say “no” and take responsibility for all security issues, whether actual or potential. Today, the skills of a CISO are no longer just linked to cybernetics: they must also be able to understand and distinguish the various modes of communication essential to meet the constantly evolving needs of employees and the company. So in a context where the threat landscape is evolving at an unprecedented speed, it becomes crucial to apply bottom-up, lateral and top-down communication regarding cybercrime.

Upward communication

The entire industry is looking at the role CISOs play in boardroom awareness. As more and more governments work on strict cybersecurity regulations, executives are turning to CISOs for guidance on how to respond. A welcome development, because ten years ago, CISOs had more limited (and rather business-focused) interactions with their Board of Directors.

Knowing the latest advances in the field of cybersecurity is a real challenge, and anticipating the legal and financial repercussions of the various current and future laws in this area can be particularly complex. Many recent cybersecurity regulations, for example, only apply to government agencies, but that doesn’t mean they won’t have any impact on the private sector. When a government establishes regulations, it often tends to exclude any company that does not respect them.

With this in mind, companies wishing to enter into contracts with a government must also comply with cybersecurity regulations applicable to the public sector. DORA, SREN or NIS2 are some examples, with the NIS2 directive (European cybersecurity legislation) aiming to strengthen the general level of cybersecurity within the EU.

In itself, ensuring that a company’s cybersecurity posture is in compliance with these regulatory requirements can be a full-time job. Among the challenges that CISOs therefore face: finding the best way to explain to their Board of Directors the real risks for the company, avoiding moments of panic among Board members when a threat is reported too late or without a remediation plan in place. Thus, given the rapid pace at which regulation is advancing, the ability of CISOs to communicate upstream will be crucial to guaranteeing the sustainability of the business.

Lateral communication

The more cybersecurity has gained importance, the more the position of those responsible in this area has strengthened within companies.

The responsibilities of the CISO are broad. It is responsible for ensuring the overall security of the enterprise, as well as every digital identity, device and system associated with it. If one of these elements were to fail or be compromised, the company would be in danger and its activities would be affected. However, it is rare for a CISO to take on this responsibility directly, with the person owning the endpoint within the company (whether device, system, monitoring, or management) ultimately being responsible for ensure its safety. It is often the CIO who takes on this responsibility, but other members of management may also be involved as technology becomes increasingly central to their operations.

Thus, the CISO must work together with other members of management to examine their common responsibilities and the established objectives. He must also integrate this approach into his ability to communicate, negotiate and promote, in order to support his commitment to the vision and mission in question. This is how he can build strong relationships, with the support of his fellow managers, to achieve security in line with the company’s objectives.

Downward communication

Top-down communication is probably the most important, especially when it comes to mobilizing teams in a process or motivating them around certain projects. Many people within the security function (analysts in particular) do not want to spend their days consulting incident logs. Instead of delving into this monotonous monitoring, analysts are more interested in detailed information that can help their companies spot possible vulnerabilities in their defense systems or detect breaches that have already occurred.

The CISO can help retain employees, an increasingly difficult task in a highly competitive market. This is possible if he works with people who are committed to proposing solutions to strengthen the security of the enterprise and to making them evolve quickly. Indeed, this results in better performance thanks to greater cohesion within the team. A CISO who can effectively communicate objectives to a team and ensure that they are enthusiastic regarding achieving them will be better able to retain their employees, whether in the short or long term.

General view of the situation

The CISO position was created at a time when businesses needed someone to take care of IT security. As technology has evolved to become central to the success of any business, the responsibility and skills required of the CISO have also evolved. Today, there is less focus on tools, threats and risks. For the modern CISO, what matters is finding a way to improve the efficiency of the company, to connect it and make it more efficient by strengthening the means of communication. Likewise, while the role was limited to understanding technology, today’s CISO must have a more holistic knowledge of the business and be able to master the subject.

The CISO position has always been entrusted to people who are flexible, adaptable and passionate regarding security. But in today’s world, it is above all a question of leadership and communication within the company that is at stake, as well as the security aspect itself. In a company resolutely focused on the future, if a CISO is not up to date with current events and business issues, he has little chance, if any, of succeeding in convincing the Board of Directors of the commercial priorities at the time. heart of its mission, nor to rally the rest of the company to the actions necessary to achieve them.