Cyber Everywhere: Aligning the CISO role with the business strategy

Organizations can build a broader security strategy and manage risk more effectively when the knowledge of chief information security officers is integrated into the business, say cybersecurity leaders in a new podcast.

When the CISO better understands the market demands and execution requirements of each line of business or mission, they can play a larger role as strategist and help preserve both customer trust and the reputation of the organization, says Chirag Patel, principal at Deloitte & Touche LLP, in the podcast.

It is important to get alignment around both security and governance at the highest levels of the organization, while having the ability to report consistently to different stakeholders so that they are all hearing the same messages, adds Fiona Williams, partner at Deloitte & Touche, LLP.

Patel and Williams explore the changing role of the enterprise CISO — and how they can impact business decisions and support innovation when given a seat at the leadership table — in this latest episode of the “Cyber Everywhere” podcast series, produced by CyberScoop and underwritten by Deloitte:

The CISO’s role is changing

“I think now we’re seeing that most CISOs are regular visitors into the boardroom, and the board and the audit committee are asking a lot more questions around ‘what is our security posture?’” Williams says.

She explains that “as organizations face security issues, there’s a lack of understanding at the board level in terms of how to understand the risks that they’re facing, and how they’re appropriately mitigating those risks.”

What’s driving the shift in the CISO role

“As you look at the move to the cloud – the move to mobile technologies – the blur of the lines of responsibility has increased. And there’s not a lot of structure around how security is governed and operated and executed across the enterprise like there was before,” Williams says.

“It’s really important to be able to set up an organization structure with appropriate governance, because ultimately you may find that the CISO is responsible for every incident, even though they may not have the ability to ensure that the controls and the security is appropriately in place in the business,” she says.

Give CISOs greater leverage in operating decisions

“While sometimes it can be difficult to quantify the risk of a cyber breach or the actual dollar value, there tends to be less resistance in gaining alignment on the impact of the breach,” explains Patel.

He recommends that CISOs look at “what business partners in the organization are you teaming with, that you’ve gained buy-in to help evangelize your message, the more you can do that the broader your reach can be, the broader the impact we can have from a cyber perspective.”

Fiona Williams helped establish the Deloitte Security practice and the Advisory Technology Risk Service Area over the past three decades. She has implemented cybersecurity programs for a number of large global companies and has served as the chief information security officer for Deloitte. 

Chirag Patel has spent 17 years of IT experience helping organizations manage cyber risk, leverage digital identities and improve customer experience and develop programs around cyber governance, data protection and threat modeling.

Listen to the podcast for the full conversation on the evolving role of the CISO. You can hear more coverage of “Cyber Everywhere” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn. 

This podcast was produced by CyberScoop and underwritten by Deloitte. Deloitte is formally known as Deloitte & Touche LLP, a subsidiary of Deloitte LLP.  For more details, see www.deloitte.com/us/about.