Wiz recently had the privilege of hosting three insightful CISOs for the most recent episode of our monthly CISO webinar series: Adam Fletcher, Chief Security Officer at Blackstone; Carla Sweeney, Security Team Lead at Red Ventures, and Jeff Farinich, the SVP of IT and CISO at New American Funding. They shared insights on aligning priorities with the board and how the dynamics of collaboration changes the game. We share some of the key takeaways below.
Speak the C-Suite language. A CISO's role has always been to balance business needs with security needs. Panelists stressed the need for CISOs to align their own priorities with those of C-suite executives. Both Fletcher and Sweeney emphasized the need to articulate risk in business terms that outline potential financial and regulatory impacts, they agreed that it’s best practice to trade technical jargon for language that C-suite executives understand.
Focus on governance versus control. Carla Sweeney shares that at Red Ventures they organize security efforts among a wider group of stakeholders. Jeff Farinich of New American Funding added that his security team also works closely with developers, which creates “flexibility for enablement, but also governance.” Among all the panelists, having the right relationships in place across teams was a high priority to effectively execute their programs.
Don’t assume legal liability. Make a clear distinction between security professionals owning risks versus identifying and surfacing risks. “It’s very important that we work closely with the board leadership to understand that we’re not the only ones who are at risk. It’s also them; it is a partnership. But as of now the CISO are kind of the fall guys, and we’ve gotta change that,” Jeff Farinich explained.
Establish strong relationships with stakeholders. Sweeney explained the delicate balance of keeping stakeholders informed while also securing sensitive information in case of a potential breach. She recommended having strong relationships across security, privacy, legal, and communications teams to do this successfully.
Understand the regulatory environment. When disclosing information on a potential breach, Farinich highlighted the need to accurately communicate with an organization’s board about technical risks and real-world implications, alongside keeping abreast with the ever-evolving regulatory terrain commanded by the SEC.
Throw out benchmarks and set your own goals. Achieving objectives should take precedence over relying on benchmarks or expense metrics. Fletcher cited Phil Venables' thoughts on the potential pitfalls of benchmarking, emphasizing the importance of setting individual security goals. He succinctly concluded: "run your own security program."
Be a team player. The CISO's role is no longer confined to the realms of the IT department. Rather, CISO have emerged as strategic teammates who work with C-suite executives. To garner C-suite buy-in for prioritizing cloud security, CISOs must provide a clear understanding of the organization’s cloud environments and identify critical assets at risk.
Driving C-suite buy-in requires a combination of thought leadership, awareness building, effective communication, and setting common objectives. Our panelists put the focus on the importance of setting up good governance, assessing risk tolerance, and building robust relationships across all organization levels. They also emphasized the need to streamline processes so your teams can address vulnerabilities quickly and continuously monitor controls for quick interventions.
Watch the webinar for more valuable insights!