CISOs take a back seat to CIOs in decision making

Craig Robinson program director Security Services at IDC looks at the disjointed C-suite.

IDC’s recently published Security ServicesView research  takes a look at various subjects and trends surrounding the who, what, why and how much questions that go into the purchasing of a myriad of security services.

One of the questions that will spark an interest for CISOs is the question surrounding the continued dominance of the CIO/CTO role in being the primary decision maker for security purchases.

Granted, security has its roots in IT, and the best-case scenario would be a vision where IT, security, the rest of the C-Suite and the Board are sharing a common vision.

Having a disjointed team that doesn’t fully understand the ramifications of their security purchases because the CISO is not fully engaged in the purchasing process is like having the head trainer setting starting lineups for a basketball team. It won’t be pretty, writes Craig Robinson program director Security Services at IDC.

What Does this Mean for Security Providers?

The struggle for CISOs to gain full control over their budget means that security providers need to diversify their sales approach. Although they still have the historical route to the organisational purse strings thru the CIO/CTO office, but they also need to be able to pitch their proposition to many different personas.

CFOs are enjoying the variable consumption model that the recent rush to the cloud that has allowed. In uncertain economic times, flexibility comes in 2nd only to cash on hand, and they will welcome proposals that allow them to consume security services that flex with economic conditions, just like they are able to do with their organisations cloud usage.

While still working to be the trusted voice to the CISO, security providers also need to expand their sales approach to other offices. The growth of personas like the Chief Compliance Officer and the Chief Risk Officer are increasing their collaboration with CISOs and can often have significant insights, of not final sign-off, on security initiatives.

What Do CISOs Need to Do to Gain Control Over Their Own Purchasing Decisions?

Ideally, the most qualified person should be the one with the final word on what vendors are utilised to provide the needed security platforms and services for the organisation. To gain the trust needed to be the primary decision maker, CISOs need to continue to sharpen their business acumen, and be as comfortable being in a discussion around the supply chain logistics of their organisation as they are discussing the open-source software utilised in their cloud apps.

Communication skills are another key attribute that may not necessarily be sought after as another certification to be added to the bottom of an e-mail signature, but it is a key skill that CISOs need to pick up. The tech community loves to speak in acronyms, and the cyber community is no different. Learning to speak in the jargon of the different personas that have an interest in the cost – and even more importantly – the capabilities of proposed security solutions is important.

If CISOs are going to truly be the architect and the most trusted voice in the huddle of their internal security team, as well as the face of the security team to internal and external departments, they need to make sure that they are intimately involved in the major security purchasing decisions that they are tasked with utilising. Playing good team ball by getting other departments to provide their input into these decisions, even when their input is not required, will help to give the CISO some gravitas in the organisations that they are tasked with protecting from ever increasing threats.







Leave a Comment

Related posts