The CISO’s wildcard – New Executives in charge: A proper method to avoid pitfalls and gain ground

By Jeremiah Kung, Global Head of Information Security, AppLovin

Large organizations often bring in high-level executive talent to revamp, transform and rewire entire departments. This is a part of almost any company that is large enough to have its own CyberSecurity department. Their goals are often to increase profits, while lowering costs and keeping current talent happy. Certainly, a goal that is very easily accomplished….

These executives may vary in talent, experience, and approach, but common themes that they often face are tight timelines, strict budgets, and a lot of tribal knowledge to learn and interpret.

When it comes to Cybersecurity, most execs are more worried about the bottom line and how to show improvement. That is not to say they do not care about Information Security per se, but more often, they do not understand how that engine runs. Their best hope is not to have a major incident or breach. At worst, they look at the program as another cost center to target for budget cuts. The CISO’s main job is to keep the program in the most positive light while still protecting the firm. Here are some key activities a CISO will need to perform to help build the proper perception and create a strong relationship with the incoming exec.

Communicate communicate communicate – With constant pressure to make change and improvements, the new exec in charge of the transformation will need to know the Cyber program has handled things. Make the time to have regular touchpoints to ensure goals and vision align. If they don’t, adjust accordingly or make the case to change the exec’s mind. In either scenario, it is essential you speak the exec’s language. Be prepared to use “dollars spent = risk reduced” business cases as opposed to technical jargon or using the latest news story to create fear and doubt. This will create a comfort level for the exec that you see things similarly and that they can work with you to make proper adjustments or presentations to the board about the next steps.

Show wins and shows them quickly – Speed is key for the CISO in situations like this. Anytime a new exec in charge is brought on board, you have a limited window to make a proper impression. Never forget peers and other department heads often are your competition in this manner. And unlike other departments that may have profit centers from making/selling widget x, the ledger for the Cyber department typically runs on cost only. This will make it even more key to proving value as one of the first. This is a very solid way to keep the scythe of efficiency from landing on the CyberSecurity program. Hopefully, there are KRI and KPIs already in place that is very business friendly that can be used to establish value. Another way is to show key wins against the latest “industry” fire drill. To clarify, this is not using the latest news story to create fear and doubt. Instead, the “big scary story” is not being used as a boogeyman waiting to strike at any second. It is a story showing that boogeyman as a defeated opponent thanks to your program being in a constant state of readiness. Once again, this is an exercise in communication using the exec’s language. Most execs still do not speak the information security language very well, but almost all know that the threats are growing exponentially and constantly.

Prioritize – Speaking of being in a constant state of readiness; the CISO should also always have their program fully prioritized. Do not focus on technology. Focus on the people. Tools come and go, and license costs can be negotiated, but what will be missed most are the people who work day after day to learn the tools, build the processes, and drive the risk closures. They are much harder to replace.

The CISO may be asked to make some cuts, or at the very least, look at what excess may be trimmed (often, these are the cases why new execs are brought onboard). Outright refusal or failure to make a strong case will hurt credibility. It is important for the CISO to show that they are “onboard” with the new program. A CISO should already have a solid roadmap built, and that is being executed against it. This way, “sacrifices” can be made on future projects, which will only extend your timelines rather than suffering present day losses and attrition of key staff.

These key steps taken quickly enough can help prevent the wandering eye of reorganization from affecting the Cyber program and, if executed properly, can also have a converse effect. With enough consistency in practice, over communication, and readiness, the CISO can actually gain the confidence of the new exec. This confidence can move the needle from being a target to being the star part of a board presentation. Out of all of this, the most important lesson for any CISO is this – no matter how good the Cyber program may be, perception is reality.