The role of CISO continues to grow in profile, pressure and importance, especially in the current era digital transformation. Today’s businesses need cybersecurity to survive, and current cybersecurity strategies must support business goals to be effective.
With his book, The CISO evolution: business knowledge for cybersecurity executivesauthors Matthew K. Sharp and Kyriakos “Rock” Lambros aim to provide a roadmap for CISOs navigating suite C by presenting lessons on fundamental business concepts through a safety lens.
Here, Lambros and Sharp discuss how CISOs can claim their place in the boardroom understanding business value and connecting it with cybersecurity strategy. They also explain why not all CISOs need an MBA, how to improve negotiation and what to do in the face of talent shortages.
Editor’s note: This text has been slightly edited for its length and clarity.
Why did you decide to write? The CISO evolution?
Matthew K. Sharp: In 2020, I had a talk at RSA. The rock was there in a show of support, but no one else came. It was kind of a low point for me. But because it was just us, we started brainstorming and talking about things like, “How do you make a meaningful budget for cybersecurity in the cloud when the cloud is so dynamic?”
We also realized that we kept going to conferences and listening to so-called thought leaders making insipid statements about talking to the company in business language. But, if you ever asked any of them, “Well, how do you do it?” you would get blank looks because most cybersecurity leaders across the country had no idea.
So Rock, instead of saying, “I’ll distance myself from this idiot who didn’t get anyone else to show up at his RSA table” – he said, “These are fantastic topics. We write a book.
What are some of the key conclusions He CISO evolution?
Kyriakos “Rock” Lambros: The beginning of the book sets out key business principles, such as how to break down financial statements, what EBIT [earnings before interest and taxes] and EBITDA [earnings before interest, taxes, depreciation and amortization] means and why, as a security leader, you should be concerned. We often find that this kind of basic business insight is lacking in our industry, unfortunately. And it is this foundation that allows us to understand how organizations create value and how we can hold these conversations in boardrooms.
Matthew K. Sharp
Acute: Connecting valuation with security strategy is really the main method to make you, as a CISO, relevant in the boardroom. If you don’t understand how your business is really valued, you can’t stand in front of someone and say, “This adds value” or “This doesn’t add value.”
Do today’s CISOs need MBA degrees?
Panels: Matt and I have an MBA: full disclosure. It worked for me, but not everyone has to pay between $ 60,000 and $ 100,000. It is a very personal decision.
One of the premises of The CISO evolution is that not all CISOs need a full MBA to be successful. We tried to distill our own MBAs and our 40 years of combined experience in the industry into a digestible workload. It’s a trick sheet to help cybersecurity leaders bridge this gap.
You write about the art of negotiation, saying “It’s not just about getting what you want.” It’s about getting what you want and that the other party feels good about it. ‘ What is your advice for CISOs who are not confident in their negotiation skills?
Acute: Every time you advocate changing the status quo, you are in a negotiation. This can mean negotiating prices with your vendors, negotiating with other business stakeholders on resources and deadlines, or even negotiating to retain key talent when you can’t offer increases. If you think you will be CISO and you will not make changes, then you are in the wrong business.
Ultimately, influence is the name of the game. We want to send you to the room equipped with all the right tools and strategies you need to have a successful dialogue. You need to make sure that you have established meaningful relationships, created a stakeholder map, and created a strategy to maximize your influence. Negotiation itself is only the final component.
I am very grateful for the path [former FBI hostage negotiator] Chris Voss approaches the negotiation. He argues that empathy and intellectual curiosity give you the ability to sit at the same side of the table as the person you are negotiating with to solve a mutual problem. And so instead of trying to influence that person, which results in a win-win or win-lose negotiation, it turns out to be a much more collaborative commitment.
I don’t think the traditional paradigm, me against them, is the right way to think about negotiation, and hopefully, that’s what appears in The CISO evolution. Negotiation is about being a collaborative partner to pursue mutual benefit and having the persistence to do some things that are awkward to achieve the optimal outcome for the business.
You mentioned talent retention. How can CISOs create their teams effectively in the middle of the course lack of cybersecurity skills?
Panels: Your network is the number one place to find new talent. Cultivate it. Get out into the community and build relationships.
You can’t leave it to human resources departments – they don’t join the cybersecurity community, where your top talent will come from. They understand what you put on paper and how to check the boxes, but they don’t understand cybersecurity and what it needs.
Sometimes you will have frictions with human resources departments. They often require college degrees for certain job classification levels, for example, but some of the smartest, most talented people I’ve worked with in cybersecurity don’t have degrees. They have hard-hitting school titles, and I would accept it any day. A HR professional might say, “Hey, to be a salary-level five-level employee in our organization, that person must have a high school diploma”; it could be in fabric of underwater baskets; just check this box. I think this is absurd in the job market we are in right now.
Acute: Also, as a CISO, just being informed about talent is quite critical in terms of your influence at the executive level. Talent oversight is a board priority because, for companies attempting the digital transformation, capturing and retaining talent is the main limitation. It is not technology because the public cloud is available. So again, you need to understand how your security program affects the broader organization.