Sarah Lawson
CISO
University College London
JULY 2022
For a typical CISO, the language of their everyday world can almost sound like they work in a war zone – stress, risks, threats, and attacks. At the same time, there is heightened awareness of security threats and breaches from C-suite leaders, the Board, and other stakeholders. This places CISOs in the limelight – but it is often associated with a risk or the negative outcome from an attack.
When CISO Sarah Lawson started in her role at University College London, she wondered how to approach cybersecurity from a different perspective. She asked, “How can CISOs sound and be more positive about their role in the organisation and the value they bring?”
Lawson posed this question to her peers at the recent UK and Ireland CISO Executive Summit. She kicked off the discussion by asking how CISOs would answer if a stakeholder asked them when they would mitigate all risks for the organisation. The CISOs’ answers included “never” and “what a silly question.”
Most CISOs know that they can never make their organisations fully secure. It is an impossible task.”
Lawson added, “So, the question becomes: How do we change the message? What can we do to make security more value-driven for the organisation?” She noted that framing the issue in black and white terms “will ultimately result in a ‘bad’ conclusion. We want to show the best prognosis of where we are going to be – not always the ‘worst’ prognosis.”
Changing the Language to Reposition the CISO
One of Lawson’s suggestions for repositioning the CISO role – and security, in general – is to change the language around cyber threats and risk messaging. She noted, “Ultimately, we need to change the terminology we use when conveying ideas around information security.”
For instance, when it comes to security awareness and training internally, CISOs and their teams often use “concerned” and “boring'' words, as Lawson described them. When she applied behavioural science to determine the effectiveness of security training, she found that 10 percent of people will not follow traditional security measures, regardless of how much training they receive.
Lawson theorised that using different types of language could be more effective and persuasive. As she said, “What if we no longer used ‘FUD’ (fear, uncertainty and doubt) – but changed our words to be value-driven.”
Lawson explained that this shift is “using the methodology that the threat actors are themselves using against individuals.” She went on to say that “emails which use more positive terminology tend to garner the most responses and continued engagement. Therefore, CISOs can learn from the positive affirmation employed by the very same hackers we are aiming to stop.”
Another key point in Lawson’s discussion on language was to keep everything in layman’s terms. Lawson said that it can be helpful for security to be perceived as “less technical and more approachable.”
A More Value-Driven Approach to Security
The role of the CISO has also grown and matured, and Lawson shared that they are measured and resourced like other parts of the business. “It’s not hard to ask for money if we associate value with it,” she said. “And, we should be talking about how we enhance and enable the business.”
Lawson believes articulating the value of the CISO role and department is important. This is not only a resourcing question, but a re-positioning of security. “It’s all about changing how an idea is articulated – tell your team what the value of their role is. It is not merely about stopping potential risks, but adding tangible value,” she explained.
The CISO role is about more than just protecting the enterprise from impactful events. We also want the team to feel that they add tangible value.”
In addition, CISOs are currently in the limelight, and Lawson views this as an opportune time to reposition the role. It’s also important to “start putting the security team out in the open, exposed to the broader organisation,” she added. “They should not be hidden away in the background.”
This unique approach, in her experience, can yield positive results for retaining employees and securing resources. Lawson believes CISOs are in a position now to associate value with everything they do and be a positive part of the business going forward.
To sum up, businesses have changed and how leaders react to security has changed – and Lawson believes security teams need to adapt to this new reality, too. CISOs and their teams should start moving away from “the world is falling in” to a more value-based approach, ensuring that leaders and stakeholders feel their organisations are robust, secure, and resilient.
Content adapted from the UK & Ireland CISO Executive Summt. Special thanks to Sarah Lawson and University College London.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.