At the 2018 Global Security Exchange (GSX) conference, Dave Tyson, CEO at CISO Insights, took the time to provide insight on some of the changes happening in the security industry and to explain how security professionals can excel in this new climate.
An expert in security management, Dave has been a leader in the industry for over 20 years. He wrote his first book on security convergence (Security Convergence: Managing Enterprise Security Risk) in 2007 and has contributed to ASIS International, the world’s largest member organization for security management professionals. Dave has held several key positions for ASIS, including President in 2015 and Chair for the Commission on Enterprise Security Risk Management (ESRM) in 2017. He is a Certified Protection Professional, Board Certified in Security Management and is a Certified Information Systems Security Professional. In our interview, Dave talks about how businesses are taking a more proactive approach to risk management.
Security breaches prompt change in the industry
Until recently, C-level security professionals weren’t typically included in board meetings. According to Tyson, security services were viewed as a necessary expenditure to ensure sound business operations, but they weren’t thought of as a profit-adding asset. This perspective came at a time when sensitive information was kept in filing cabinets and all one needed to do to protect valuable information was to keep documents under lock and key or shred them. But when businesses shifted from paper and pen to digital data management, the industry changed forever. In order to keep up with new security threats that could cause significant financial damage, enterprise security evolved into an essential, value-added service.
The value of security in an era where breaches result in big losses to both profit margins and public image is now a concern for major companies. However, strategic risk management remains an area that lacks greater acceptance by leadership groups.
Now that information, which was once housed locally, is being processed and stored globally, executives are searching for strategic solutions to mitigate new risks to information security. For a CISO or CSO to command the attention of top-tier executives, Tyson believes that they need to identify and advise on how to reduce and avoid risks, while also demonstrating how their strategic approach will enable organizational profitability.
Security shifts to the forefront of business operations
Tyson believes that the shift in perception of security —from an operational necessity to a valuable component of a company’s strategic initiative— has prompted directors to begin to include C-level security professionals in boardroom meetings in order to advise executives on how to integrate security with emerging corporate strategies. So far, the inclusion has been beneficial on both sides, as we now see security professionals, who once plateaued at director positions, rise to Senior VP ranks.
When asked for tips on how CSOs and CISOs can have a major impact in the boardroom, Tyson shared three major ways that security experts are currently building credibility among the top-ranked executives in various businesses.
- More than ever before, Chief Security Officers are focusing on protecting the things that businesses value most. Before attending a session with leadership, it’s imperative to understand the focus of the business. It’s not enough to simply offer tools for the business to deploy. One must understand the company’s core values and demonstrate how you can protect them.
- When it comes to presenting security as an enabling function of business, it’s important to explain how integrated security systems create a competitive edge for a company. Point to profit margins that benefit from the service and explain how it gives the organization a leg-up on competitors that don’t use the same service.
- The manner in which a CSO explains security risks to the board of directors is just as important as the message they’re delivering. Effective communication adopts business language—not policing jargon.
The shift from paper filing to tech-based data processing has changed the security industry. It has created a greater need for strategic approaches to the way businesses manage and protect private information, while still remaining profitable. To harness these new opportunities, C-level security professionals must explain how their services will protect a company’s values and increase their profits at meetings with executives. Tyson is now seeing companies place greater value on their security experts through more security directors becoming senior vice presidents, and the role of security taking greater precedence in organizations’ strategic initiatives.