The role of the Chief Information Security Officer (CISO) has evolved beyond protecting systems and data. Today, security leaders must understand and manage business risk, integrating cybersecurity into the overall business strategy. This article gathers insights from experts like Doug Kersten, Dale Hoak, and Gary Hayslip, who share six key strategies to master this new dimension.

1. Collaborate with Business Risk Owners

Doug Kersten, CISO of Appfire, has seen his responsibilities expand toward business risk. To address this, he works closely with leaders from areas such as legal, finance, and marketing. “We form a great team to understand the organization’s risk and risk appetite,” says Roland Palmer, CISO of JumpCloud. This approach helps identify previously unknown risks and align security with business objectives.

2. Align Cybersecurity with Business Goals

Kersten incorporates corporate OKRs into his security strategy, analyzing how the department’s actions affect talent retention or customer satisfaction. Richard Watson from EY recommends “mapping cybersecurity controls to critical assets and business processes, linking them to their potential financial impact.” This translates technical exposure into business terms, prioritizing investments efficiently.

3. Invest in Networking and Relationships

Gary Hayslip, co-author of The CISO Desk Reference Guide, recommends conducting “listening tours” to understand the real concerns of business leaders. Dale Hoak, CISO of RegScale, emphasizes interaction with the CFO, COO, and other executives: “These conversations provide visibility into emerging risks and allow security to be part of strategic planning.”

4. Conduct Simulation Exercises Focused on Business Risk

Hayslip suggests scenarios that force executives to make real decisions, such as whether to pay a ransom or how to communicate a data breach. “These exercises test the organization’s response and reveal how executives make decisions under pressure,” he explains. It’s a structured opportunity to delve into business risk.

5. Train in Business Risk

Sean Murphy, CISO of BECU, earned the NACD Directorship Certification, which “helps understand what concerns the board and how they view risk.” Hayslip recommends analyzing the annual report and investor presentations to understand how the company generates revenue. “You can’t prioritize protecting the business if you don’t know which parts are critical,” adds Murphy.

6. Integrate Security into Enterprise Risk Management

Scott Melchior from ISACA states that “cyber risk is now an existential danger to the business.” Hoak advocates integrating cyber risk with financial, operational, and strategic risks into a common framework. Hayslip has already applied this by integrating the security risk register into his organization’s ERM platform, quantifying them in financial and probability terms.

These strategies not only help CISOs master business risk but also position them as strategic leaders within their organizations. To dive deeper into how the CISO can transcend technical security, we invite you to read our article The CISO as an Architect of Business Risk. You can also explore how real-time exposure redefines cybersecurity in From Hunting CVEs to Live Management.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.