In the ever-evolving landscape of cybersecurity, the role of the Chief Information Security Officer (CISO) has grown beyond its traditional boundaries. As organizations become increasingly interconnected and digital, the approach to cybersecurity must adapt to these changes.
In a recent interview with Cyber Security Tribe, Sabino Marquez, CISO at Cognota, shed light on a groundbreaking shift in the CISO's responsibilities – moving from security-focused operations to trust assurance and proactive value assurance. In this article, we delve into the key takeaways from Marquez's insightful discussion, exploring the evolution of cybersecurity leadership and its impact on the industry.
The CISO Role Transformation: Trust is a Valuable Asset
The transformation of the CISO role is driven by a need to bridge the gap between cybersecurity and the broader business objectives of organizations. Marquez began his exploration by addressing a common frustration experienced by cybersecurity practitioners – the lack of attention or understanding from the business side.
He questioned why the language of risk management and security didn’t resonate with the business as strongly as it should. The revelation came when he observed the correlation between trust and company valuation during the Yahoo breach. The loss of billions of records resulted in a 20% drop in what Verizon was willing to pay for Yahoo. This incident highlighted that trust was a significant factor in entity valuation during equity events, making it clear that trust is a valuable asset.
Trust: The Catalyst for Transformation
The concept of market trust emerged as the cornerstone of this paradigm shift. Market trust is not just about perception, but about the value it enables and defends for an organization. This shift from security to trust assurance involves reframing the focus from IT security practices to aligning the entire organization behind safe motion. This unique perspective redefines the CISO's role as a market-facing product leader serving customer stakeholders.
Trust in Revenue and Customer Journeys
Not every company operates in the same trust-intensive manner. Some industries, like the food sector, rely on heavy regulatory frameworks to ensure safety, while others, such as software companies, must establish trust through their products and services. The latter is particularly crucial for businesses that handle confidential data and require their customers to trust in their operations. Marquez emphasized the shift from being an internal service organization chasing the business for security to a role where trust is proactive and contributes to the company's revenue and market positioning.
Cybersecurity as a Business Enabler
There is a critical link between trust and revenue, asserting that companies that lead with trust and communicate it effectively go to market with an advantage. This new approach to cybersecurity allows companies to close deals faster, increase customer retention, and reduce the time to renewal. When cybersecurity is aligned with trust, it becomes an integral part of the revenue journey, contributing positively to customer acquisition costs, lifetime value, and overall business performance.
The Intersection of Trust and Value
The conversation shifted to the relationship between the SEC's final ruling on cybersecurity risk management and the concept of trust assurance. Marquez pointed out that while the ruling introduces regulatory requirements for companies to attest to their safety posture, it can be seen as a hammer approach rather than a carrot approach to trust assurance. He emphasized that businesses should proactively embrace trust practices to demonstrate value, rather than only reacting to regulatory pressure.
Transforming Conversations and Influence
The discussions brings up the challenges of changing the conversation within organizations and selling the concept of trust assurance to the Board and other C-suite executives. Marquez noted that conversations usually come to him, as his approach involves putting money on the table – demonstrating how trust assurance can lead to increased revenue and market success. By aligning trust practices with the organization's revenue model, he has been able to shift conversations from controversy to value-driven discussions.
The Partnership of the CMO and CISO
Marquez highlights the evolving roles of the Chief Marketing Officer (CMO) and Chief Information Security Officer (CISO), as they become more strategic and directly contribute to revenue generation and market opportunities. Both roles have transcended their traditional boundaries, with the CMO focusing on enhancing customer experience, branding, and growth, while the CISO ensures that IT security aligns with market and customer expectations. Trust plays a pivotal role in building a strong bond between a business and its customers. Therefore, it is imperative for the CMO and CISO to collaborate closely to effectively and securely communicate trust to their customers.
The Role of CISOs in a Changing Landscape
These insights shed light on a transformative journey for CISOs, one that shifts their focus from mere security to trust assurance and proactive value creation. The changing landscape of cybersecurity demands that CISOs take on the role of market-facing leaders who bridge the gap between security and business objectives. By understanding the link between trust and revenue, CISOs can drive organizations towards greater success, both in terms of market positioning and customer relationships.