The metrics used to gauge the value of most senior executives are often tied to financial performance indicators, such as revenue growth or profitability. However, evaluating the performance and value of a CISO requires a more nuanced approach.

Shawn Bowen is the Senior Vice President and Chief Information Security Officer of World Fuel Services, a Fortune 100 global energy management company headquartered in Miami, Florida.

Check out his interview with Samir Aliyev, CEO and Founder of the Swiss Cyber Institute where Samir discusses with Shawn the value of a CISO, its evolving role, how important it is for a CISO to have a seat on the board and who they should report to, and a lot more.

Shawn, many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?           

It is becoming increasingly apparent that not all CISOs are experienced to discuss cyber risk in the language of the business. But the language of the business is evolving to include cybersecurity and that will highlight the number of executives that do not have the same understanding of cybersecurity that they possess about other critical segments to run a business (legal, finance, people skills, etc.). It is our responsibility to better ourselves as business partners and it is our opportunity to educate our peers on the cybersecurity impacts in a way they understand and care.

Common ways to assess the value of a senior executive to an organisation’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

I appreciate that the metrics used to gauge the value of most senior executives are often tied to financial performance indicators, such as revenue growth or profitability. However, evaluating the performance and value of a CISO requires a more nuanced approach. The impact of a CISO is not always directly measurable in terms of profit or revenue, but it’s nonetheless crucial for long-term viability and sustainability of the business.

Some key methods of measurement could include Risk Reduction, Financial Impact, Operational Efficiency, Business Enablement, Talent Management, & Strategic Influence.

Given the complexity and ever-evolving nature of cybersecurity threats, it’s important to note that no single metric can fully encapsulate a CISO’s value. A balanced scorecard approach, combining these multiple facets, will offer the most comprehensive view.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

The significance of a Chief Information Security Officer’s (CISO) reporting structure is highly contingent on both the business model of the organization and the technological acumen of its executive leadership. In enterprises where revenue streams are intrinsically linked to digital platforms, or where core products and services are technology-dependent, it is imperative for the CISO to report directly to the Chief Executive Officer (CEO). However, this presupposes a well-established IT infrastructure and a mature CISO organization.

Alternatively, there are numerous organizations where it may be more appropriate for the CISO to report to other key executives such as the Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Financial Officer (CFO), depending on the specific alignment of security with the overall business strategy.

Regarding board participation, the growing prevalence of cybersecurity challenges necessitates an increased level of cybersecurity expertise at the board level, a trend which is currently unfolding.

It is crucial to recognize that the advocacy for a CISO’s board presence should be less about entitlement and more about demonstrating intrinsic value to the business. The decision to include a CISO at the executive or board level ultimately resides with the CEO and/or the board, who must discern the appropriate timing and organizational readiness for such inclusion. The onus is on CISOs to cultivate stronger business acumen and collaboration, thereby naturally warranting their seat at the table, ideally before a crisis mandates it.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?                       

Achieving cyber resilience involves a holistic approach that starts with a comprehensive risk assessment to prioritize vulnerabilities and allocate resources. Subsequently, a well-defined cybersecurity strategy must be aligned with executive leadership for adequate resource backing. Implement a multi-layered defense strategy through technical controls like firewalls and intrusion detection systems, while ensuring data backup and recovery plans are robust. Critical to this are well-trained incident response teams and ongoing employee cybersecurity training. Continuous monitoring through SIEM systems, coupled with periodic audits and penetration tests, forms the backbone of effective response mechanisms. Resources should be allocated based on the severity and probability of risks, and the focus should be on technologies that offer robust defense and quick recovery. The end goal is to integrate cybersecurity into the organization’s fabric, backed by continuous improvement and leadership commitment.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

Security solutions that push that they can solve all of your security problems. Security is easy, anyone can lock a computer up to be highly secure…but understanding the operational requirement of the system to decide what risks are worth taking can’t be solved by a tool. It just helps me achieve that.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

Threat modelling is something that needs to be done more often and by everyone. The best part is it is free (and fun)!

Also, using low-code/no-code or even full coding to automate things. There is a lot of value in SOAR and AI helping the security teams be better…but using a lot of the tools we already have at our disposal can also make our lives a lot easier. We just need to try and enhance the processes like we would for other parts of the business. But we are going to have to do it on our own…so that means get out there and learn!

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

Yes, I do think it still remains a challenge because the cybersecurity acumen of management is not up to the same level as the rest of their business knowledge (finance, legal, compliance, etc.). But that is changing quite rapidly in the larger companies.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

If I could design a team from the ground up I would want to have 65% experienced security professionals in the role they are best at, 25% IT professionals who are transitioning into or doing a rotation in security, and 10% non-IT/non-security professionals who are transitioning into or doing a rotation in security. Obviously, the numbers can flex a little bit, but I think that helps bring different perspectives into the team.

We also need to rotations within our security team (GRC folks do some time with the SOC, etc.).

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

It is both. I think that collaborating with the executive team in person helps build a stronger relationship quicker. And I think there should be a presence with a purpose when meeting with your team. Strategy meetings, quarterly planning, etc. should all be done in person, but the day-to-day management of the work can be done remotely. I don’t mind going into the office, but I like the flexibility to raise my family and spend my free time in a place I really want to be.

What do you look forward to most at this year’s Global Cyber Conference? 

Last year was great…but I think the lineup of speakers is so much better this year! It will be a lot of fun. And as always I love to get an international perspective on the challenges we share.