Over the past few years the security industry has seen a rise in the number of appointed CISOs. At companies where previously the security team was small, secluded, and likely managed by the CIO, it is refreshing that mention of a CISO is no longer followed by puzzled looks or blank stares. While the position is becoming more familiar within enterprises, it is by no means the norm. Furthermore, despite the presence of a chief information security officer at a company, more likely than not, that person doesn’t hold the same rank as other C-levels. Chief financial, information, marketing, and legal officers, for instance, generally report directly to the CEO, whereas the CISO…well, not so much.
You know I dream in color
According to The State of Cyber Security Professional Careers report published by ESG on behalf of ISSA International, 67% of individuals surveyed say that their organization currently has a CISO, CSO, or “similar executive-level cyber security position in place today.” However, other surveys put the number of organizations with a C-level or similar security position closer to 50%. The optimistic perspective is that, whichever percentage you choose, the number is growing year upon year; there’s little dispute in that—and this fact is good for the profession as well as those organizations keen enough to understand the importance of having a dedicated security leader.
To the former point, however, and of more concern, a significant majority of CISOs do not report directly to the CEO, and many don’t even report directly to the CIO; the CISO/CSO reports to someone who reports to the CIO. So while the overall number of senior-level security appointments is growing, the position still isn’t viewed with the same level of “trusted advisor” status as other senior executives at the organization.
And do the things I want
Why is this happening? For one thing, the industry is nascent compared to other business disciplines. “I’ve been in security for 20+ years though,” some of you may be thinking. True, but finance, sales, operations, etc. have been around for centuries! Even as the pace of business transformation has quickened in the last few decades, age-old professions are able to build on solid foundations whereas security is still hardening the concrete.
For another thing, the “data explosion” and infinitely connected enterprises have only occurred within the past 5-8 years (depending on whom you ask and which aspect you’re considering). Security teams are still learning how to deal with the realities and difficulties of “securing everything,” a consequence of which is the corresponding number of breaches taking place daily. Breaches are so omnipresent in our society that news of them is no longer met with shock and awe.
Which leads to the third reason: business executives see money, time, and resources being poured into cybersecurity while hearing over and over from the security team that all companies can expect a breach. “It’s not ‘if’ but ‘when,” is a common warning. Security is a hard business and should be considered just another part of the risk conversation—one with which the company is intimately familiar. Yet, senior-level security practitioners still don’t embrace security’s inclusion in the business; security practitioners often feel they’re working in opposition to the business—slowing purchases, implementations, or launches due to lack of security involvement from the get-go. It’s a double-edged sword, to be sure. Security should be involved with these types of projects from the start, and when they’re not (if security learns about the purchase/implementation/launch before it happens), it’s unwise of the business to proceed without any caution. Why, though, is security routinely left out? Because of the reasons listed above, and because security, itself, continues to keep the business at arm’s length.
You think you got the best of me
At this year’s DerbyCon, a traditionally hacker-/tools & techniques-focused conference, at least three presentations addressed the topic of how security can and why it should work more closely other departments. DerbyCon is not unique in this respect; the industry talks a lot about security’s need to “speak the language of the business” and work towards goals that support business initiatives. Every time you turn around, security people are saying the same thing, but the industry isn’t moving fast enough. The fact that only a small fraction of companies have a CISO reporting directly into the CEO is evidence enough that the CISO doesn’t have the proverbial seat at the table. At least the not at the grownups’ table.
Stand a little taller
To speed up progress and become a true business influencer, senior security practitioners need to steer clear of FUD and embrace tenants of leadership:
Security can be proud of progress made in the last several years, but the industry can’t afford to rest on its laurels. Though the number and rank of senior security practitioners is rising, much work is yet to be done. Security needs to earn the trust and respect required to own a seat at the table. We’re getting there—but don’t give up until it’s more common to hear, “Where’s the CISO,” than “What is a CISO.