The Three Questions Every Security Leader Should Ask

1 hour ago 3

​Scott Sumner is chief information security officer at Dassault Systèmes.

getty

When a company suffers a breach, the CISO is often the first person held responsible and, at times, not in a position to prevent it. The mismatch between what companies ask of CISOs and what they actually give them has been growing, and it often becomes a personal liability in the process.​

Security leaders are being asked to take on more accountability than ever before while receiving less structural support, less real authority and less legal protection than their peers in the C-suite. That gap can produce outcomes ranging from disengaged teams to criminal charges. Before any security leader can do their job effectively, they need to answer three key structural questions.​

Reporting Structure

​When the security leader reports to a CFO, CTO or CIO rather than directly to the CEO, security gets treated as a technical issue instead of a business function. Information gets diluted as it travels up through layers of management. People are reluctant to deliver bad news, and as a result, the CISO’s perspective can get filtered before it reaches the people with real decision-making power.​

In contrast, a CISO who reports directly to the CEO has a seat at the table when major business decisions are made. Consider a company about to spend a billion dollars acquiring another firm. A security leader with direct access to the CEO can surface the fact that the acquisition target was breached last year and that it cost them a hundred million dollars, in time for that to actually shape the decision. Without that access, the information may never reach anyone who can act on it.​

That said, title and hierarchy matter less than the independence behind them. Reporting structure can be arbitrary from one company to the next. What matters is whether the security leader has the autonomy to affect real change and whether they are genuinely connected to the organization's business goals. A CISO who can be pressured into softening their assessment of risk is not in a position to protect anyone.​

Authority

The second question is whether the CISO has real authority to match their accountability. Security leaders are held accountable for outcomes, but they often don’t have the formal power to enforce standards. Think of it like a building inspector who can identify every code violation on a property but has no authority to stop construction. A risk assessment is only as valuable as the ability to act on it.​

When a new measure goes into place, will leadership support it? Or will complaints about security being a burden flow around the CISO directly to the CEO? The answer helps clarify whether authority is real or nominal. A combination of access, relationships and credibility creates real authority. A good security leader maintains strong relationships with other business leaders and earns the kind of support that makes enforcement possible. ​

Indemnification

Most C-suite executives, including CFOs and general counsels, are protected by corporate indemnification agreements that protect them from personal legal liability when they act in good faith. Many CISOs, however, are not. Regulators such as the SEC have begun naming individual security executives in enforcement actions, and that has become a serious financial and career risk to CISOs that the industry has been slow to reckon with.​

The case involving former Uber CSO Joe Sullivan made this concrete for many in the field. Until then, most people were not aware of the federal requirement that makes paying a cyber ransom without notifying the Department of Commerce a felony because of the potential risk of funding terrorism. That is the kind of exposure that can turn a good-faith decision made under pressure into a criminal matter.​

In practice, resolving the indemnification issue requires maintaining a close working relationship with the organization's legal department. This doesn’t provide universal protection, but it provides a great deal. Understanding requirements and disclosure obligations, as well as ensuring that decisions are documented and legally informed, can keep managed risk from turning into personal exposure.​

A CISO's primary obligation is to protect the business, but they can only do that if they are also protecting themselves. The word that ties everything together is trust. Security leaders have to trust their teams while verifying what they do. They build trust with the business by grounding every decision in business goals. They earn the trust of employees and customers through transparency and sound judgment. Trust built that way compounds over time and becomes the foundation of everything security leadership is supposed to accomplish.​


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Read Entire Article