The Summit this year was easily one of my favorite events from a security knowledge perspective. As is to be expected, there was a lot of ESRM talk but in a way that went beyond the acronym and into concrete ways of implementing the principles of the security philosophy.
The following is a list of the ideas and practices shared at the summit that really resonated with me.
The professionalism of the role
The role of the CSO is becoming more meaningful from a business perspective. This includes both the nature of the role and also the perception of the CSO in an organization.
The CSO and security operations are increasingly being thought of as something that adds value to a company, rather than simply existing as a necessary cost. Security can be a differentiator when it comes to acquiring new talent and business. Clients and prospective employees have to be wary of who they do business with to prevent reputational damage, and a strong security operation can help ease that concern.
Company-wide impact
The CSO impacts everyone at an organization. From making sure the entire company is performing their due diligence to maintaining high retention among the workforce, the CSO has an impact. They might not affect everyone equally, but they do affect everyone.
With such an impact, the CSO needs to speak to everyone. They can’t just focus on upper management, they need to be engaging workers in all positions. Security needs to be taken seriously by every employee or its limited in its effectiveness. When workers engage in security, they act as a security force multiplier, making a company exponentially safer.
A seat at the table
If you’re not being invited to discussions at C-suite, invite yourself. Demonstrate that you are a valuable business partner and eventually you won’t have to keep forcing invitations.
It’s important to not always go to these meetings with an ask. Bring data and insight to show that you have something else to offer other than a greater drain on operational costs. Also, consider avoiding too many acronyms and jargon. Just tell them what they need to know and what’s of obvious value.
Innovation for innovation’s sake
The consensus coming from the summit was that innovation needs to happen beyond what the CSO already does. A lot of technology is being implemented that doesn’t end up being used because it doesn’t directly relate to the current state of security operations. Make sure whatever tech you bring in is enhancing a role, not just adding an unnecessary cost. Budgets are tight enough as it is.
Risk in the boardroom
Risk should be a consideration for the board of directors. The CSO should help the board not only understand risk but manage risk as well. If the CSO can do this role effectively, it will go a long way to cementing their position in the boardroom.