The debate over whether the CISO should, by the very nature of the position, be considered a member of the corporate executive team (known colloquially as the C-suite) has been raging for some time and seems likely to continue for a good while to come. I believe the CISO should not only have a seat among the uppermost echelon at the big table but also be recognized as a foundational element in the success of any business.

I have often opined, along with many of my peers, that it doesn't really matter where the CISO sits if the responsibility and accountability is clearly charted and senior-most management is engaged and supportive. But that is a rare situation -- a CISO Nirvana, if you will, as many don't feel seen by the C-suite or the board.

In the US, it's clear that there may be a shift underway toward recognizing the key business value of cybersecurity leaders -- the US Securities and Exchange Commission (SEC) has ramped up its support for cybersecurity as a top business concern and expressed its opinion that the CISO should be seen as an integral part of the enterprise's decision-making team. So how does the CISO go about gaining recognition for this engagement with their co-executives?

The CISO should be unafraid to speak truth to power

We've all heard the adage "speak truth to power" and few will argue that the CISO's role requires the fortitude to speak truth, no matter how ugly it may be. Often, the result from your executive colleagues may seem to embrace the Japanese proverb "The nail that sticks out gets hammered down," and this is a reality. Yet, I believe when familiarity and trust are present, the hammer stays in the toolbox and the truth being shared is recognized for its utmost importance.

Part of speaking the truth is the need to prepare one's co-executives for the "when" not the "if" of cybersecurity incidents, Armis CEO Curtis Simpson tells CSO. His philosophy of "keeping incidents at the scale of being the least disruptive" has great merit. "Major incidents are the events which are disruptive at scale and cause churn within the infosec teams," he says. "It is important that co-executives understand the playbook, discuss the results of tabletop exercises and the gaps identified and mitigation plans. The key is transparency."

Positioning cybersecurity as a strategic part of the business

The SEC push for boards to have an individual director focused on cybersecurity has great merit and the rationale is founded on the truth of the situation, according to Jake Seid, a partner at Ballistic Ventures. "Few boards are equipped to deal with CISO challenges," Seid says. "The assumption that CISOs are not siloed and are integral to the business may not be the reality, yet it should be. They are a strategic part of a business's success. For those doing business with government, the CISO's role may determine business outcomes, given the certifications and attestations required," which is a clear rationale for not being siloed.

How the CISO speaks to co-executives is equally important, Snehai Antani, CEO of Horizon3, tells CSO. His advice: "The CISO needs to shift away from discussions about technologies and focus on outcomes, speak more to business continuity, and risks and risk mitigation," all focused topics which are strategic to business success.

Team-building retreats can help raise a CISO's profile

Retreats can help raise a CISO's profile -- no, not the "retreat from the fray" type of retreat, but the engagement type of retreat. There is an entire industry built around team building and few will argue that a group of individuals who have a shared experience don't get to know one another better.

This is an opportunity to build trust with one another, according to Simpson, who expressed his positive experiences in "executive retreats where they give Myers Briggs [tests] and help explain how to communicate with each other. It is a great asset. There is no substitute for face time with your fellow executives. It not only builds familiarity, it also builds trust." Not only should a CISO push for an invitation to these kinds of events, but they should also encourage any opportunity to extend the scope of their cyber evangelism.

CISOs need to constantly reiterate their value to a company

In a similar vein, Manny Rivelo, CEO of Forcepoint, noted that "CISOs need to bring their value forward as their teams heighten productivity, increase ROI, and ensure a higher level of compliance for the company's sectors."

CISOs shoulder tremendous responsibility and as such, should be held accountable for the responsibilities they shoulder. That said, they also must be resourced adequately. Seid observed that the CISO "needs to be held to the same standards as the CFO and should engage the C-Suite in a similar manner."

And the kicker is, as recent experience has shown, that CISOs who don't feel recognized or valued or are stressed and headed for burnout won't stick around. For them, it's like the line from the Kenny Rogers song: "You gotta know when to hold ’em, know when to fold ’em." That's no good for the company and no good for business in general -- something boards should consider when they're reluctant to bring the CISO into the executive fold.

Freezing out the CISO can ultimately leave a company vulnerable

The reality is that every role has a start date and end date when an individual moves on to the next opportunity or challenge. According to Simpson, the CISO should be astute enough to "know when it is time to go" and particularly "when the business starts playing the blame game."

Corporate boards should pay heed to this: it's in no one's best interest to give the CISO the cold shoulder and have to start searching for a new one in a very dry and difficult hiring environment. Not to mention the perilous situation in which this leaves a company when there's no one driving the cybersecurity bus at a time when vulnerabilities and incidents are ever on the rise. When the CISO has a seat at the big table, everybody wins.