Can you provide me some keys to demonstrate that the CSO is (needs to be) a business leader?
CSOs need to "run security as a business," just like other functions do. Based on our 10 years working with practitioners and researching how successful leaders demonstrate adding value to the organization - and are considered a valuable asset to the business – consider the following recommendations:
Let's start with budgets. Your budget process should be built on a foundation to enhance efficiency and effectiveness. The first step in managing a budget well is knowing what security services the budget needs to support. This may seem simplistic, but it’s a step many security leaders fail to take. If the security leader can’t point to some kind of documentation that clearly states what the function is specifically offering, none of the rest of the organization will fully appreciate the breadth of services security provides.
Once services are identified and cataloged, there are other questions that must be addressed: “What do these services cost?” How many full-time employees and contract staff are dedicated to each service? Does staff outside of security participate as well and, if so, how many hours do they spend performing security services? What technical or material resources does the service require, what does upkeep and maintenance cost, and what is the price of purchase or planned replacement (both within and outside the department)?
When a finalized list of services and costs has been developed, it’s time to determine the service value. Take the list and establish who are the beneficiaries of each service. Which business units gain opportunities or benefit from risk mitigation as a result of the service, and how? If possible, develop or include metrics that show the benefit in a tangible way.
Knowing your "customer" is another vital component. What business would put something out into the marketplace and not assess who uses or values their offering? There are several ways to become more familiar with your customer’s needs. One is to develop personas, a technique borrowed from marketing. For the security department it can be helpful to identify internal customer “types” (needs, motivations, attitudes, etc.). Use these to prototype reactions to proposed enhancements or new roll-outs, for example. Another way to better understand your customer is to gather stakeholder criticality ratings, in a similar fashion that the sales department evaluates product lines. For example, meeting with every stakeholder and determining the security programs and services they consider critical to their line of business. If you are willing to invest the time you help create understanding and ownership of risks with your stakeholders. The process helps business units correlate their risks with what matters to them from a security standpoint. By involving them you’re learning what their concerns are and educating them on what you provide at the same time.
Understand your specific organization. Don't attempt to apply a solution without knowing your environment. This includes how your organization views "security," how mature your program is currently, what kind of leader you are and whether this fits the corporate culture and risk appetite of the company. Our research shows an awareness of and strategy for each of these is needed to: advance the success factor of the security function; develop security leadership aptitude; and advance the organizational readiness for security to sites, staff groups and senior leadership.
Keep in mind the CSO is (or should be) a business person that happens to have knowledge and expertise in risk mitigation – not a person with security acumen that happens to be inside a business. And they should possess the same kinds of leadership skills desired in other business unit leaders. Many do, but some are not thinking of themselves as a business person. This skill set includes good presentation skills, strong communication proficiency, ability to build peer influence, manage budgets, and so on. As a business person you should be continually "selling" your offerings and demonstrating (e.g., through key performance indicators*) what you do is beneficial.
(*See the Knowledge Corner: Measures and Metrics for more on this topic.)