The role of CISO continues to grow in profile, pressure and importance – especially where it is now Digital change. Today’s businesses require cyber security to survive, and today’s cyber security strategies must support business goals to be effective.
With their book, CISO Evolution Trade Business Knowledge for Cyber Security ExecutivesAuthors Matthew K. Sharp and Kyriakos “Rock” Lambrosse aim to provide CISOs to map the C-suite by providing security lens lessons on basic business concepts.
Here, Lambros and Sharp discuss how to discuss. CISOs can request a place in the boardroom. Understanding business value and linking it to cyber security strategy. They also explain why not every CISO MBA wants it, how to be better negotiated and what to do about the ongoing lack of skills.
Editor’s note: This text has been slightly modified for length and clarity.
Why did you decide to write? The evolution of CISO?
Matthew K. Sharp died- In 2020, I participated in an RSA talk. Rock was at the support show, but no one else came. It was a low point for me. But, since we were the only ones, ‘How do you budget in a cloud for cyber security when the cloud is so flexible?’ We began to think and talk about things like that.
Matthew K. Sharp
We realized that we were going to the conferences and that we had heard so-called thought leaders talking nonsense about business. But, to one of them, ‘OK, how do you do that?’ Most cyber security leaders across the country have no idea, so you get a blank slate.
So Rock – instead of saying, ‘I’ll get rid of this idiot’, ‘If I can’t get someone else to come to the RSA table’ – ‘These are great topics. Let’s write a book. ‘
Kyriakos “Rock” Lambros
Which key should be taken? OfCISO Evolution?
Kyriacos “Rock” Lambrosse The beginning of the book is how EBIT sets out basic business principles, such as how to disseminate financial statements. [earnings before interest and taxes] And EBITDA [earnings before interest, taxes, depreciation and amortization] What it means and why, as a security leader, you need to pay attention. Unfortunately, such basic business skills are lacking in our industry. And that’s the foundation that helps us understand how organizations create value and how we can have those discussions in board rooms.
Linking evaluation to a security strategy is really the key to making yourself relevant as a CISO in the boardroom.
Matthew K. Sharp
Sharp Linking evaluation to a security strategy is really the key to making yourself relevant as a CISO in the boardroom. If you do not understand how your business is being run, you cannot stand up and say, ‘This price will increase’ or ‘This price will not increase’.
Do today’s CISOs need an MBA degree?
Lambros mourn Matt and I both have MBAs – full disclosure. It worked for me, but not everyone has to spend $ 60,000 to $ 100,000. It is a very personal decision.
One compound of The evolution of CISO Not all CISOs need a complete MBA to be successful. We have tried to turn our own MBAs and 40 years of combined experience in the industry into a dynamic workforce. It is a scam that helps cyber security leaders solve that gap.
‘You don’t just get what you want,’ you write about the art of negotiation. It’s about getting what you want. And make the other party feel good about him. What advice do you have for CISOs who do not trust their negotiation skills?
Sharp You are always negotiating to change the situation. That means negotiating prices with your suppliers, negotiating with other stakeholders in the business about inputs and schedules, or negotiating key skills when you can’t offer increases. If you think you are a CISO and you do not promote change, then you are in the wrong business.
Ultimately, the effect is the name of the game. We would like to send you all the appropriate tools and strategies you need to have a successful conversation. You need to build a meaningful relationship, build a stakeholder map, and create a strategy to maximize your impact. Negotiation itself is only the last part.
I really appreciate the way. [former FBI hostage negotiator] Chris Voss approached the negotiations. Compassion and curiosity give you the ability to sit side by side with the person you are negotiating to solve a common problem. And so, there will be more collaborative engagement than trying to influence this person – either through a win-win or a win-lose negotiation.
I don’t think the traditional way of thinking about negotiation is the right way for me and them to go against it, and hopefully, this is what comes in. The evolution of CISO. Negotiation is about working together for the common good and persevering to do certain things that are not conducive to the success of the business.
You mentioned capacity building. How CISOs can build their teams efficiently while they are in progress. Lack of cyber security skills?
Lambros mourn The number one network where you can find new talent is number one. Develop it. Get out there in the community and build relationships.
You can’t leave it to the HR departments – they are not involved in the cyber security community where your greatest potential comes from. They understand what to put on paper and how to check the boxes, but they do not understand cyber security and what they want.
Sometimes, you have to disagree with the HR departments. Some job placements often require a college degree, but some of the most intelligent and talented people I have worked with on cybersecurity do not have a degree. They have a degree in heavy knocking school, and I take it every day. A manpower expert might say, ‘Hey, this guy needs a bachelor’s degree to be a level five wage worker in our company’ – it could be basket-weaving in water. They should only mark that box. I think Asin is in the job market right now.
Sharp Also, like CISO, just knowing about talent is very important in terms of its impact on the executive. Talent control is a priority of the board because the acquisition and retention of talent for businesses attempting digital transformation is a major barrier. It is not technology because the public cloud is easily accessible. So, again, you need to understand how your security program affects the larger organization.
Matthew K. Sharp
Kyriakos “Rock” Lambros
