That is the way Jason Clark, CISO at Accuvant, sees it as well. "To gain respect, the CISO needs to be a business-savvy executive who needs mentoring from either the CEO or CIO, or from another top CISO," he said.
Dave Frymier, CISO at Unisys, agreed. "Any security -- military, protecting the Pope, information security -- is a balance between risk and usability," he said. "Unless CISOs understand at least something about organizational objectives and business needs, they won't be able to make, or explain, that tradeoff in a meaningful way."
Chris Wysopal, cofounder, CTO and CISO of Veracode, has a similar message. He said CISOs should, "focus their attention on ideas that truly add to top-line business value. Understanding how to position security as an enabler for winning, serving and retaining business for the enterprise is essential," he said.
He added that part of the problem is that the CISO role, "is relatively new and currently being defined compared to the more established C-level executive roles. What CISOs are discovering is that their security skillset is only part of what is needed for longevity."
Indeed, mega-retailer Target didn't even have a CISO at the time of its catastrophic security breach in December 2013, which compromised up to 110 million customer credit and debit cards and led to the "resignations" of the CEO and CIO. The company finally hired a CISO in June 2014.
That suggests that the CEO and others higher up the executive food chain may not understand the role of the CISO as well as they do other C-level positions that have existed for decades.
Clark said the chance of friction at the C-level is greater not just because the CISO is a relatively new role, but also because it is that of a change agent, "because the threats and the way risk is addressed is evolving. This is why it's important for them to be consulted, engaged and an ongoing part of the business."
And Frymier contends that another reason for that lack of understanding is because most CISOs are not structurally part of the C-suite anyway. "In many -- if not most -- organizations, the CISO reports to the CIO who reports to the CFO or COO, who reports to the CEO," he said. "This person is thus at least two levels removed from the C-suite."
Whatever the structure, those in the field agree that it is mostly up to the CISO to explain that role and how it can enable both the effectiveness and security of the organization.
"CISOs need to learn new skillsets, understand the greater business dynamics that drive the enterprise and be able to communicate effectively to other C-level executives," Wysopal said. "It's about being recognized as a strategic asset to the company."
Sign up for MIS Asia eNewsletters.