When situations go awry in an organization, there's a tendency to create new, executive-level positions by establishing the classic “one throat to choke” policy if problems persist. For example, if tacit knowledge is leaving the organization without being captured, an organization might be compelled to establish a chief knowledge officer (CKO) position. If an organization fails to implement a meaningful strategy, a chief strategy officer (CSO) position is sometimes established. If an effective marketing strategy isn't in place or the marketing strategy fails, perhaps a chief marketing officer (CMO) will solve the problem. Or when an organization encounters an oversight in a technology decision, they might create a chief technology officer (CTO) position.
Although there is value in the growing number of C-suite positions, my main concern is the unrealistic expectations that are often associated with desired results. One memorable quote that I come back to when I ponder this topic: “We don't need more opinions, we need more hands!”
The Clinger-Cohen Act of 1996 established the federal CIO positon and area of responsibility. Still, the Federal Chief Financial Officer Act often empowered CFOs to perform tasks that ran counter to the CIO's area of responsibility. The CTO position emerged as perceptions grew that CIOs often lacked the skills needed to lead the technical direction of an organization. Consequently, CIOs were essentially in figure-head roles because they lacked line and budget authority over staff who contributed to, or negatively impacted, their areas of responsibility. As more CxO positions were created in the technical realm (CTOs, CISOs), areas of responsibility became more fragmented. It's a paradoxical situation for CxOs to be ultimately responsible for tasks over which they do not have line authority; albeit not uncommon.
...there's no top dog or one throat to choke when it comes to cybersecurity.
Which brings me to the establishment and evolution of the chief information security officer (CISO). Organizations that create CISO positions need to be brutally honest with themselves. Are they creating the position to establish “one throat to choke” in an attempt to abstract upper management from cybersecurity responsibility by establishing a scapegoat? Or are they truly committed to doing what is necessary to make the CISO area of responsibility successful? Our society seems to favor someone getting fired when bad things happen, or the establishment of a CxO position to ensure the problem never happens again. Remember, authority can be delegated, but not responsibility. Unfortunately, a frequent theme when I speak with CISOs is, “They give me the title, but no line authority, staff or budget.”
These historic vertical areas of responsibility can lead to inherent vulnerabilities. Waiting for a breach to occur to start doing swim lane assessments of areas of responsibility as a measure of comprehensive cybersecurity strategy is counterproductive. Avoiding the process of identifying the “top dog” as a result of massive technological and operational area of responsibility convergence is necessary.
In my opinion, there's no top dog or one throat to choke when it comes to cybersecurity – at least not below the CEO. The one-throat-to-choke theory is a fallacy. Far too often, a band-aid approach is implemented in an attempt to correct a far more serious problem. It might provide some initial comfort, but it seldom yields meaningful and sustained solutions. Regardless of what positions are called, cybersecurity is an organization-wide responsibility.
Organizations are working hard to address the cybersecurity workforce challenges. However, it is essential to begin the hard work of positioning cybersecurity as an enterprise-wide responsibility. Establishing cybersecurity-related desired outcomes in performance plans across the enterprise is a good start: Because what gets measured tends to get done. Cybersecurity needs to be a standing topic of discussion amongst respective board of directors, CEOs and C-suite executives, as well as across every business unit and employee. Granted, you can apply the one throat to choke argument to essentially any discipline, but more often than not, it's a fallacy. CISOs need all the help we can give them – so don't aim directly for the throat the next time a problem arises.
David Shearer is CEO of (ISC)², a nonprofit organization which specializes in information security education and certifications.