While cyber used to be viewed as a significant cost to the organization, that perception is changing as threats continue to rise and the impacts of those risks become material to an organization, including direct financial costs and reputational harm.
On the front lines of this shift are CISOs like Jake Martens, who serves as SVP and CISO at Aristocrat and as a NightDragon Advisor. NightDragon recently sat down with Martens to discuss this shift to cybersecurity as a value center within forward-leaning companies, as well as how CISOs can encourage those conversations within their own organizations. Here is an excerpt of that conversation:
As a CISO, how do you think about building a cyber strategy that brings value to the organization? What are the key components of that?
I think it is imperative for CISOs to help their organizations understand that cybersecurity is not just something they must do to stay out of the news and to avoid fines for non-compliance, but also something that can help them win business and increase revenue. It is simply shortsighted to fail to recognize how much emphasis we all, as citizens and consumers in the world, place on trust and trustworthiness. From online shopping, to the doctors we visit, to the interpersonal relationships we invest in – and everything in between – we prioritize the ability to trust and be trusted. Every single company can view cyber as solely a matter of prudent risk management to avoid the bad things, OR they can take that view as table stakes and ALSO augment it with the view of cybersecurity as a true value enabler.
How has focusing on value enablement versus just risk reduction changed your role within the organization? What about what products you invest in?
Candidly speaking, it is much more fun and rewarding. As an analogy, my oldest son is a police officer. If he simply viewed his role as finding and stopping criminals in his city, he might well get results, but they will be nothing close to the positive impact he has by focusing on proactive community safety where everyone believes they have a role in building a high-trust collection of neighborhoods. To continue the analogy, taking this more progressive approach to policing increases property values and citizen satisfaction.
For CISOs with this mindset, it allows (and frankly forces those feet draggers 😊) to get into the business, understand where cyber can be part of the top-line focus, help with customer messaging and engagement around trust, and partner with functions like privacy, compliance, IT, continuity, and others to integrate the practice and storytelling of trust.
Has this mindset resulted in better defense for the organization? How so?
Unquestionably. The level of investment now goes beyond the core set of blocking and tackling into more advanced and proactive capabilities. Further, we are leaning into the work of our business and functional partners, delivering a reputation built on engagement vs. just enforcement.
There are those who would argue that evangelism leads to visibility, which then expands the target on our back and – in some ways – gives the attackers permission to seek to do us harm. My counterargument is that the target is already there, and attackers don’t need permission. Building an advanced set of trust-oriented controls and enablers strengthens protection, expands reputation, and wins business.
Do you think more CISOs overall today are viewed as value-enablers? How is that the same or different than it was five years ago?
It is really mixed. There are plenty of companies that continue to view CISOs and cybersecurity as solely a risk management priority. Partially this is due to CISOs who are more technical than business-savvy, as well as those who are not pushing the agenda of value-enablement. CISOs need to be increasingly vocal about the potential to drive value, and we need to bring examples of the value. For instance, find a customer who cares about trust and leverage it for both their and your benefit – then share that example visibly. Then, rinse and repeat!
There is no question there is more of a focus on value than there was five years ago. In years past, there was only one Chief Trust Officer (to my knowledge) – Jim Alkove who was with Salesforce. Now you have Trust & Security Officer roles at Salesforce, Cisco, Atlassian, Autodesk, and countless more. This is a great example of the evolution we see today in the marketplace. I also wrote about this here.
What advice do you have for CISOs on better positioning themselves to focus on value to the organization? Where can they start, and what conversations do they need to have inside the organization?
There are a number of steps a CISO can take to help position themselves as vaue enablers within the organization. From my perspective, the key components are:
- Create an identity, vision, mission, and strategy that includes risk minimization and value maximization elements
- Gain support from senior executives and board to not just strive for cyber stability
- Strike a balance of solid cyber capability execution and compelling cyber evangelism
- Build, nurture, and maintain a world class team of leaders and employees who are technical and can/do also engage strongly with non-technical folks in the business and beyond