Why does it appear that the CISO is a second-class
executive? Are CISOs the victim of a business that “doesn’t get it”? Or is the
business a victim of CISOs that “don’t bring it”?
The plight of the CISO is well
documented. It can be a challenging and thankless role that is accompanied by
high stress and an equally high turnover rate.
CISOs often believe they are not given
a fair chance by business executives and are essentially obstructed from doing
their job. They frequently feel they don’t report to an appropriate or senior
enough executive, don’t have a prominent enough position at the board table,
are not given enough budget, and lack respect of C-Suite executives.
Why is this? Is it that business
executives:
- Don’t care enough about
security? - Don’t understand the scale of
the problem? - Want a ‘checkbox’ for security?
- Want to invest as little as
they feel they can get away with?
The crux of this problem is the perceived
value return of security under the leadership of the CISO. Two key points
really undermine the CISOs perception:
- The CISO’s difficulty in
convincing what ‘good looks like’ from a security investment, and security
results perspective. Basically, is there a strongly correlated relationship
between security investment, and risk/ impact control? - The CISO’s difficultly in
getting past reporting from a ‘technical and operational security’ perspective,
rather than a robust and easy to understand risk and impact perspective.
Generally, you don’t get a seat at the
board table by just seeing a board level problem. You get a seat at the board
table by having a credible strategy and business plan to achieve board level
objectives and solve board level problems. Do CISOs today effectively bring a
board level security solution to the table? Or, how does a CISO’s ‘solution’
stack up against competing executives’ pitches for budget?
The argument that CISOs are ‘stuck’
reporting into the ‘wrong’ executive is a function of the perceived value they deliver.
Where you report often speaks to where the business believes you have the best
chance at having success. Business executives want to maximize success and minimize
failure.
What is the ‘right’ amount of security
investment? Most things in life (e.g. buying dinner, a vacation, or a house)
it’s easy to see the relationship between cost and expectation. This works with
most departments in business as well (e.g. R&D, marketing, sales, legal,
IT). There is a reasonably obvious connection between quality, quantity, pace,
and cost. Unfortunately, using conventional approaches a CISO has a challenge
linking what the business gets from an amount of investment. Is there a way for
a CISO to provide a plan, like the other department heads, to strongly link and
measure quality, quantity, and pace to achieve an agreed expectation of
results?
The reality is that business
executives do:
- Care about protecting vital
business assets and interests. In fact, their personal brand is on the line as
business executives are coming under direct fire in the aftermath of cyber
breach. - nderstand the scale of the
problem, and they are terrified about it. In fact, they have little confidence
that a public breach isn’t imminent, and they see the consequences. - Want credible cyber resilience options,
but they aren’t receiving them from the CISO. This puts business executives in
a bind and corners them into producing the most common tangible option as a CYA,
which is usually compliance to a security framework. This is easily perceived by
the CISO as only wanting a ‘checkbox for security’ - Have a fiduciary duty to spend
wisely. Executives are “damned if they do, and damned if they don’t” with investment
in security. Because the CISO doesn’t bring credible security investment
options, nor justified results, but the obvious need to protect business
interests from security breach, they are caught in an opportunity-cost Catch-22.
If a CISO cannot pragmatically solve
board level security problems; if they cannot establish costs vs. agreed
expectation of results, and provide a credible business plan, then it seems to
follow that they are not punching at the Board level.
Because it is clear that security is a
board level problem, and the CISO is not bringing board level solutions, the
reasonable outcome is a tough life for the CISO and limited authority and scope.
Unfortunately, the trickle down is poor morale and hiring and retention
challenges which exacerbate the perception and execution problem of the CISO.
The
best thing Boards can do is manage cybersecurity risks as they would any other
business risk. To be effective, there must be a working relationship between business
executives and the CISO, where the CISO has aligned goals, strategy that drives
cyber resilience options, a business plan that gives leadership clear risk
appetite choices, and an implementation plan that delivers results.
Douglas Ferguson, Founder and CTO of Pharos Security
