A 'CISO evolution' means connecting business value to security

The CISO role continues to grow in profile, pressure and importance -- especially in the current era of digital transformation. Today's businesses require cybersecurity to survive, and today's cybersecurity strategies need to support business goals to be effective.

With their book, The CISO Evolution: Business Knowledge for Cybersecurity Executives, authors Matthew K. Sharp and Kyriakos "Rock" Lambros aim to provide a roadmap for CISOs navigating the C-suite by presenting lessons in foundational business concepts through a security lens.

Here, Lambros and Sharp discuss how CISOs can claim their place in the boardroom by understanding business value and connecting it to cybersecurity strategy. They also explain why not every CISO needs an MBA, how to become better at negotiating and what to do about the ongoing talent shortage.

Editor's note: This text was lightly edited for length and clarity.

Why did you decide to write The CISO Evolution?

Matthew K. Sharp: In 2020, I had a speaking engagement at RSA. Rock was there in a show of support, but no one else came. It was kind of a low point for me. But, since it was just us, we started brainstorming and talking about things like, 'How do you meaningfully budget for cybersecurity in the cloud when the cloud is so dynamic?'

Matthew K. Sharp

We also realized we kept going to conferences and hearing so-called thought leaders making insipid statements about speaking to the business in business language. But, if you ever asked any of them, 'Well, how do you do that?' you would get blank stares because most cybersecurity leaders across the country actually had no idea.

So, Rock -- instead of saying, 'I'm going to distance myself from this idiot who couldn't get even one other person to show up to his RSA table' -- said, 'These are great topics. Let's write a book.'

Kyriakos "Rock" Lambros

What are some key takeaways from The CISO Evolution?

Kyriakos "Rock" Lambros: The beginning of the book lays out foundational business principles, such as how to tear apart financial statements, what EBIT [earnings before interest and taxes] and EBITDA [earnings before interest, taxes, depreciation and amortization] mean and why you, as a security leader, should care. We often find that kind of fundamental business acumen lacking in our industry, unfortunately. And it's that foundation that allows us to understand how organizations create value and how we can have those conversations in boardrooms.

Connecting valuation to security strategy is really the primary method for making yourself, as a CISO, relevant in the boardroom.

Sharp: Connecting valuation to security strategy is really the primary method for making yourself, as a CISO, relevant in the boardroom. If you don't understand how your business is actually valued, then you can't possibly stand up in front of somebody and say, 'This adds value,' or, 'This doesn't add value.'

Do today's CISOs need MBA degrees?

Lambros: Matt and I both have MBAs -- full disclosure. It worked for me, but not everybody needs to go shell out $60,000 to $100,000. It's a very personal decision.

One of the premises of The CISO Evolution is that not every CISO needs a full-blown MBA to succeed. We tried to distill our own MBAs and our 40 years of combined experience in the industry into a digestible volume of work. It's a cheat sheet to help cybersecurity leaders bridge that gap.

More on The CISO Evolution: Business Knowledge for Cybersecurity Executives

Learn more about this title from Wiley.

Read an excerpt from The CISO Evolution: Business Knowledge for Cybersecurity Executives about how to calculate an organization's cyber-risk appetite.

You write about the art of negotiation, saying 'It's not just about getting what you want. It's about getting what you want and having the other party feel good about it.' What's your advice for CISOs who don't have confidence in their negotiating skills?

Sharp: Anytime you're advocating to change the status quo, you're in a negotiation. That can mean negotiating prices with your vendors, negotiating with other stakeholders in the business about resources and timelines, or even negotiating to retain key talent when you can't offer raises. If you think you're going to be a CISO and not introduce change, then you're in the wrong business.

Ultimately, influence is the name of the game. We want to send you into the room equipped with all of the appropriate tools and strategies you need to have a successful dialogue. You have to make sure you've established meaningful relationships, built a stakeholder map and created a strategy to maximize your influence. The negotiation itself is just the final component.

I really appreciate the way [former FBI hostage negotiator] Chris Voss approaches negotiation. He argues that empathy and intellectual curiosity give you an ability to sit on the same side of the table as the person you're negotiating with to solve a mutual problem. And so, instead of trying to influence this person -- resulting in a lose-win or a win-lose negotiation -- it turns out to be a much more collaborative engagement.

I don't think the traditional, me-versus-them paradigm is the appropriate way to think about negotiation, and hopefully, that's what comes across in The CISO Evolution. Negotiation is about being a collaborative partner to pursue mutual benefit and having the persistence to do some things that are uncomfortable to get to the optimal outcome for the business.

You mentioned talent retention. How can CISOs effectively build their teams amid the ongoing cybersecurity skills shortage?

Lambros: Your network is the number one place you're going to find new talent. Cultivate it. Get out there in the community, and build relationships.

You cannot leave it to HR departments -- they are not tapped into the cybersecurity community, where your top talent is going to come from. They understand what you put on paper and how to check the boxes, but they don't understand cybersecurity and what it needs.

Sometimes, you're going to have friction with HR departments. They often require college degrees for certain job classification levels, for example, but some of the smartest and most talented people I've worked with in cybersecurity don't have degrees. They have degrees from the school of hard knocks, and I'd take that any day. An HR professional might say, 'Hey, to be a level five salary-grade employee in our organization, this person must have a bachelor's degree' -- it could be in underwater basket-weaving; they just have to check that box. I think that is asinine in the labor market that we're in right now.

Sharp: Also, as a CISO, just being informed on talent is pretty critical in terms of your influence at the executive level. Talent oversight is a board priority because, for businesses attempting digital transformation, capturing and retaining talent is the main constraint. It's not technology because the public cloud is readily available. So, again, you have to understand how your security program affects the broader organization.