When CISOs and CEOs meet: Three areas to prioritize

How can the CISO help maximize the benefits of interactions with the CEO? For insights on this critical issue, Tech Effect spoke with Joe Nocera, PwC’s leader for the Cyber & Privacy Innovation Institute, and James Shira, PwC’s US and Global Chief Information & Technology Officer.

What should a CISOs objective be when interacting with CEOs?

Joe Nocera: The CISO should help leadership become cyber-fluent, and help connect the dots between security threats and potential business impact. Use the time to really listen to CEOs. Explain where the organization's security process and practices are headed, and make them comfortable with how those processes support the broader business strategy.

James Shira: Cyber threats, and new kinds of attacks, are coming all the time. Concerns are increasing, and there’s high anxiety around this issue. The objective is to help the CEO understand enough so that they feel the threat can be managed. Key is using the language of business and moving the conversation out of tech- and cyber-speak. The interaction with the CISO should make the CEO feel empowered about the risks that the organization owns. 

What should the agenda be for a standing meeting with the CEO?

Joe Nocera: For any given meeting with the CEO, a CISO should cover three topics, in addition to discussing any other pressing issues:

Evaluate existing threats. What are the motives of the bad actors, and what do those motives mean in terms of how they might manifest as significant risks to the organization?

Convey details on the organization’s inherent risks, and explain how the resources now are being used to address those risks, which can vary by industry and risk landscape. Do the expenditures align with expectations around security? Provide an update on the progress that’s being made — to maturity, cybersecurity framework and enhancements to key risk indicators. Is the security team on course to complete the initiatives that it had planned to accomplish?

Demonstrate the measurable results of security initiatives. How has the organization improved its posture, when it comes to enhanced security?

James Shira: When you’re discussing solutions to discover gaps, don’t give them just one option — instead, talk about how various scenarios might play out. How would the tools we have and the strategy we now deploy provide predictability in addressing patterns we’re seeing? Focus on investments that have the most horizontal benefit and breadth of positive results. CISOs have to look for where the investments can get the most impact. For example, at PwC, our capability to continue working during COVID was brought to you by investments we made in 2017. We do go over metrics. We have a slide that shows the amount of time it takes us to do a blocking and tackling defense action. Metrics need to tell a story and inform board members and executives about the progress, or lack of progress, that we’re making. And metrics need to be specific to your specific challenges. Are we getting better over time, based on these investments?

Which overriding security philosophy should CISOs encourage CEOs to adopt?

Joe Nocera: The mission is twofold. First, strategize for the future, and, second, put out existing fires. The objective is to master the fundamentals of digital governance and risk management for day-to-day defense, and to anticipate new threats so that the organization can confidently move forward with new digital initiatives.

Leadership typically wants to know how the CISO evaluates the organization’s inherent risks. CISOs are expected to clearly explain the evolving risks to the organization and to engender confidence in the company’s resilience.

James Shira: Think of security as the lubricant in the engine — it needs to be positioned at the point of friction in the business. What’s the right amount of security, and security investment, that helps the business grow or enter a market? The definition of “good” in security is not fixed. The CISO gets to define what’s good and then position the security enhancements within the CEOs broader agenda.

How do you prepare for meetings with the CEO?

Joe Nocera: With the CEO, success often comes from how you manage that engagement and make the CEO feel like he or she is getting something out of the interaction. For business executives, the CISO should not rely on them to have security knowledge — instead, the CISO should take security knowledge to them. For most of the audiences we speak to, we need to make the topic relevant to them and absorbable by them. 

James Shira: To prepare for talking to the CEO, you have to consult with the key partners in the key territories of the network. You have to understand what their constituent group is going to say. Focus on storytelling and avoid jargon. Try not to alienate your audience by being too technical. The CISO should convey to executives the current level of threats, and convey that the CISO understands the organization's risk appetite, in order to make the right decisions around policy and to put in place the structures necessary to help mitigate the risks most critical to the organization.

About the survey

A small number of leading organizations in our 2022 Global Digital Trust Insights survey (10%) have created a blueprint for a securable enterprise by reducing corporate complexity and establishing a framework for shared cybersecurity responsibility, with the CEO playing a key leadership role. Every interaction with the CEO can make a difference to the organization.