CISOs and Their Relationship to CEOs and the Company Board
I once was in the Air Force's Strategic Air Command. The commander was called CINCSAC. We used to joke that Step #1 on the CINCSAC's problem-solving checklist was "Fire Wing Commander!" A CINCSAC did say "I did not have time to differentiate between the unfortunate and the incompetent." According to what I read CEOs often act like CINCSAC to their CISOs when there is a breach, even if previously denying the support and budget that would have prevented the breach. So how about being inventive in gaining your CEO's attention? Do you, as a CISO, speak the same language as your CEO and board? You probably do not and though you have tried, you are not getting through. CEOs, like generals, absolutely hate having their time wasted, like in a long training session. But they do like being among the smartest people in the room.
They read business books, and they read a lot when traveling. Give them a copy of Professor Brian W. Kernighan's Understanding the Digital World: What You Need to Know about Computers, the Internet, Privacy, and Security. Second Edition. Princeton, NJ: Princeton University Press, 2021. The material in the book was used as Princeton University course material for non-IT majors. It is superbly written. If you get it in your CEO's reading stack, you may be surprised by their inciteful questions at your next presentation. Be happily forewarned!
You know your own company’s non-IT senior leaders and their learning styles. If your CEO fits the expression “Here to lead, not to read,” try a different approach. Consider taking them to a hacker conference. Or for hands-on learners, create a make-your-own adventure tabletop exercise that brings them to successful decisions. Semper Sec does this for clients and particularly for non-IT stakeholders they find it engages and helps them!
Best to all,
Dad (Jay Carson)