CISOs in the C-Suite: Making Cyber Strategy Company Strategy

By Kara Nortman, Managing Partner & Spencer Calvert, Associate, Upfront Ventures

This article originally ran on TechCrunch.

When you think of the core members of the C-Suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: the CEO controls strategy and ultimately answers to the board, the CFO controls budgets, the CMO gets people to buy more, more often, all while the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.

But the information age is shaking up the C-suite’s composition. There are a number of drivers behind the trend in the cyber market exploding to secure the modern enterprise: multi-cloud environments, data generated and stored faster than anyone can keep up with, and SaaS applications powering virtually every function across the org along with the new types of security posture that coincides with that trend. Whatever the driver, though, this all ladders up to the fact that cyber strategy and company strategy are inextricably linked and consequently, CISOs in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.

It’s the early nineties. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994. A hacker in Russia stole $10M from Citi clients’ accounts typing away at his keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security exec, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO. After he joined, he was told two critical things: first he would have a blank check to set up a security program to avoid this happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200k miles during the next few months visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10M stolen pales in comparison to what CISOs are responsible for protecting today.

Take the recent SolarWinds breach. SolarWinds stock closed December 10, 2020 at a price of $23.55. As news of the supply chain attack broke over the next week, the share price plummeted 40% in 7 days and ~$3B in market cap was wiped out. Today, more than two months after news of the hack first broke, prices have only climbed back to $17.24, still a $2B blow. The financial impact is material, but consider the data exposure as well. When Equifax suffered a data breach in 2017, 143M records were exposed. It took nearly two years for stock prices to return to pre-breach levels. These breaches can erode consumer and Wall Street confidence with a lasting impact.

More recently, Covid and the rapid move to WFH were another forcing function to push the CISO more into the spotlight. CISOs were part of the core executive team responsible for crisis response and interacted with CEOs and Boards during this time more than ever before.¹ The migration to work from home required security solutions: increase in patch management hygiene of known vulnerabilities, tracking endpoints that are part of bring your own device (BYOD) programs, and securing overloaded VPNs or standardizing the security posture of zero trust.

Getting the org set up for remote work is just the beginning. The untested attack surfaces in the WFH world resulted in 90% of organizations seeing an increase in the number of cyber security attacks. During this same time, there was a 72% increase in the creation of new ransomware. Hackers came out in droves to take advantage of weaknesses. Similar to Katz at Citi, budgets will grow and CISOs will receive “blank checks” to build security practices to support the new ways of working brought on by covid, as well as the multi-cloud migration, data proliferation, and Saas powering functions across the org.

Bringing the CISO into the C-suite and into company strategy makes us better and more resilient across all parts of an organization, from developers and API hygiene, to adding hybrid roles into orgs that sit between IT infrastructure, development, cyber and the business side of the house, to updated board audit committee best practices. Like financial and DEI audit committees, security audits are becoming another core component of board oversight, making the CISO and security that much more central in the C-suite.

As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics. If you have been reluctant to invest in security, now is the time! Soon we will realize that just as all of us are growth investors, brand investors, and people investors, we are all also security investors because the lines will continue to blur between cyber and adjacent spaces. Grabbing this identity as your own, even just a toe in the water, has the potential to make you a better investor even if you never directly invest in cybersecurity solutions. Plus the industry needs diversity of thought. As we collectively define “the new normal,” CISOs will have a seat at the table to establish cyber strategy that is company strategy.

Give us a ring if you want to hear more about our cyber investment journey, one we will be on until the end of time! The great thing about cyber is the more you learn, the more you realize you have to learn.

Special thanks to Spencer Calvert, my collaborator in developing this cyber thesis and content.

¹ PWC