In this episode of CISO Series, Mark talks about  the challenges security organizations may face when trying to demonstrate value to other groups in the company. Listen to these segments of Chris Hodson’s lively discussion with Mark to see how he’s navigated these challenges through his storied career.

Distilling CISO responsibilities into 3 core “hats”

At the beginning of the conversation, Chris asks Mark to condense CISO responsibilities at a higher level into three core competencies. These competencies boil down to data and privacy policy formulation, knowing how to build out the security tech stack, and responding to incidents in the appropriate manner. While these all have overlapping skill sets, aspects of these functions are distinct and it’s rare for a practitioner to have an equal grasp of all three. CIOs and CISOs need to work together to ensure they cover any deficits in these areas. 

“And so, in the perfect world, you'd find somebody that is equally skilled in experience across those three domains or those three sets of responsibilities. In my personal experience, that rarely occurs.”

– Mark Settle, CIO and Author

How emerging requirements around materiality will impact security reporting

Partway through the conversation, Chris asks how he expects regulations like the recently proposed SEC cybersecurity rules will impact the nature and structure of reporting within security organizations. Mark talks about the need for security and IT to communicate about what technology is needed for conducting audits and understanding the company’s security posture.

“If there's a fairly robust security function, there should be regular meetings. It could even be a bi-weekly or monthly where the two groups get together, not necessarily the executive level. The more you know, the working staff level to make sure everybody knows what each other is kind of doing.”

– Mark Settle, CIO and Author

Talking to the board about security risk

Mark continues his response to the question about emerging regulations by talking about how CIOs and CISOs can engage with their organization’s board. In this part of his response he stresses the need to expand the board’s focus on risk management. Identifying if there’s a risk committee is a good first step, as well as being strategic about what you share with them. Going into granular detail about defenses might be a distraction for example, but you should show enough to highlight that you’re following industry best practices or taking actions that make sense for an organization of your size.

One thing that's become very popular is for the audit committees to spin off something called a risk committee. And so if I were a CISO, one of my first questions would be, is there a risk committee on the board?

– Mark Settle, CIO and Author

‍

{{ promo }}

Identifying the constraints CISOs face justifying their budgets

Mark discusses how different situations may impact the budget which security is meant to operate. For example, Mark talks about a time when his CFO allotted his team a specific number that he had to make work for his program. Conversely, some organizations may be subject to audits or incidents that compel investments into specific types of software applications. Mark recommends that practitioners remain cognizant of the situation within their organization so that they can balance leadership’s preferences with the needs of their function.

“Now here’s a unique thing about security. If there was a DevOps tool or a data analysis tool, I would go to the groups using them and tell them they need to consolidate to fit into a budget number. When you get into security it’s fundamentally different. If there’s a breach, you have to get up to the board and say what happened. And then Mandiant comes in and says you’re not using 3 security tools that other companies your size use. I’ve talked with CISOs who say ‘I don’t think XYZ tool makes us better protected but I’m not going to turn it off.’”

– Mark Settle, CIO and Author