What can a CISO do if their authority is unequal to that of other C-suite execs (apart from the CEO)?

Security & GRCInternal CXO Relationships
1.4k viewscircle icon25 Comments
Sort by:
PMO – Engineering in Software3 years ago

Fr Chief Information Security Officer, s/he can establish and maintain the strategy and vision to ensure information and technology needs are adequately communicated and executed. 

Senior IT Manager in Government3 years ago

Make sure the rest of the c-suite is aware of and understands the risks of inadequately addressing security. Partner with other c-suite execs who do have the authority and understand the risks. 

IT Director and Software Producer in Software3 years ago

A CISO (vs. most other C-Suiters) should have the ability to truly understand the DR plan in all its permutations. Playing through as many contingencies as possible and getting hands-on with solutions sets this role apart in my opinion. 

This relates directly to Ben Rothke's comment ("Consider that CSO in that case = Chief Scapegoat Officer.") in that, yes (LOL), the CISO is going to be the one getting sprayed when "stuff hits the fan", so hopefully they've prepared for that outcome and have a hazmat suit ready to go.

Managing Director in Manufacturing3 years ago

They will need to build political capital that can enable them to protect the security and safety of the organizations data. While they do this they need to enable the role to become an equal member of the C-Suite too, otherwise the accountability and value of the role is unlikely to retain quality talent. 

CIO in Education3 years ago

Authority doesn't necessarily reflect on the ability to get things done. If you do your job well, then others at the C-level will recognize and respect that. That will bring the authority with it, whether it's only implied or actually given.

Content you might like

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

We are considering a scanning solution for detecting Personal Information (PI) in our data assets, mainly AWS S3, DynamoDB, Salesforce, etc. We need the solution to detect PI, identify the type (e.g., infotype), and optionally map it to our own PI categories. We are currently considering BigID. Do you have experience with this tool or any other tools that can help us scan across different data platforms and technologies?

Read More Comments

Are CISA's current recommendations for preventing Maui ransomware attacks sufficient?

Yes, if followed correctly.39%

Unsure38%

No, there is still a significant risk.19%

Other (please tell us in the comments)3%

View Results

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?

Has cryptocurrency helped to facilitate the ransomware market?

Yes80%

No15%

Unsure4%

View Results
What can a CISO do if their authority is unequal to that of other C-suite execs (apart from the CEO)? | Gartner Peer Community