The Secret to CISO Success? Don’t Be a Roadblock to Business Growth
It shouldn’t surprise anyone that being a CISO is a stressful job. Long days filled with endless meetings, emails, and presentations. There’s also that pesky little detail that if there’s a data breach and your company’s intellectual property is exposed, you’ll probably be fired by the end of the week.
According to Jay Gonzales, CISO at Samsung Semiconductor, vetoing every technology request may mitigate the risk of a data breach or compliance violation but it will also get you branded as a roadblock. Companies generally don’t have the patience for marginalized employees who impede growth.
Gonzales is an inaugural member of Accellion’s CISO Advisory Board. He provides valuable insight into the challenges and opportunities inherent with the CISO role in general and the manufacturing industry in particular. This blog post is the first in a series.
Gonzales understands and sympathizes that saying “no” can be a frustrating experience for employees when it means they can’t get their work done. “It’s a lot harder for CISOs to demonstrate value when people complain that the security team won’t let them do what they need to do.”
Is there a way for CISOs to protect and support the business simultaneously? Gonzales says yes. He recommends maintaining an open line of communication with business leaders. Being a good communicator – which includes being a good listener – helps CISOs build a rapport with their internal stakeholders and set proper expectations.
“The greater the presence you have in the organization, the better equipped you are at mitigating employee frustration. If you’re approachable and available and communicate what you need to do and why you need to do it, you send the message that you’re there to help.”
Gonzales also recommends going for the small wins. “If you can solve the little problems that employees have frustrations with, then they know you have their best interest in mind, that you’re vested in making them productive. In return, they become more understanding of the CISO’s need to balance security with productivity.”
Gonzales is aware of the reputation many CISOs have. He doesn’t want to be considered the “no” guy however, “the reality is there are some areas where we just don’t have any flexibility in our decision making to help support the business.” Gonzales is also quick to point out that every CISO has a boss and what might be a priority for the CISO may not be a priority for their boss.
Rather than blame the CEO or CIO, Gonzales reiterates the importance of communications in setting expectations. The strategy has worked for Gonzales. “Our employees understand our need to balance security with productivity. They know we’re a global company and they know the security team has a global responsibility to protect the company’s crown jewels, our intellectual property.”