Skip to main content
May 26, 2015

How CISOs Can Make a Better Case For Security

As more enterprises become digital businesses and rely on applications to keep pace with innovation, the value of security will continue to grow. However, CISOs often struggle with non-IT executive communication and demonstrating how their programs provide value. For enterprises to remain competitive in this application economy, it is up to CISOs to communicate how strong security programs are linked to corporate performance.

For years CISOs have struggled to gain the respect the importance of their role deserves. This is in part because the CISO's role was seen as necessary, but tactical. Also, the metrics CISOs and other security leaders used to demonstrate the value of security focused mostly technical accomplishments. Because business leads did not understand the technical language spoken by the CISO, they wrongly assumed that a lack of a breach meant they were secure.

This resulted in CISOs not receiving the respect they deserved, but also not being able to make strong cases for projects they knew were imperative to reducing risk at their enterprises. For example, while application security is a major concern for most CISOs, it is not a priority at most enterprises.

What CISOs need to do is learn to speak the language of their peers in senior management. The best way to make a case for security projects is to link security to the corporation's performance. Gartner provided 8 Practical Tips for Linking Security and Risk Management to Corporate Performance in a recent report by Paul Proctor. I highly recommend any CISO trying to reduce risk at their enterprise read through this document for some practical advice on improving communication with senior management.

You can find it here:

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.