Why does it appear that the CISO is a second-class executive? Are CISOs the victim of a business that “doesn’t get it”? Or is the business a victim of CISOs that “don’t bring it”?
The plight of the CISO is well documented. It can be a challenging and thankless role that is accompanied by high stress and an equally high turnover rate.
CISOs often believe they are not given a fair chance by business executives and are essentially obstructed from doing their job. They frequently feel they don’t report to an appropriate or senior enough executive, don’t have a prominent enough position at the board table, are not given enough budget, and lack respect of C-Suite executives.
Why is this? Is it that business executives:
- Don’t care enough about security?
- Don’t understand the scale of the problem?
- Want a ‘checkbox’ for security?
- Want to invest as little as they feel they can get away with?
The crux of this problem is the perceived value return of security under the leadership of the CISO. Two key points really undermine the CISOs perception:
- The CISO’s difficulty in convincing what ‘good looks like’ from a security investment, and security results perspective. Basically, is there a strongly correlated relationship between security investment, and risk/ impact control?
- The CISO’s difficultly in getting past reporting from a ‘technical and operational security’ perspective, rather than a robust and easy to understand risk and impact perspective.
Generally, you don’t get a seat at the board table by just seeing a board level problem. You get a seat at the board table by having a credible strategy and business plan to achieve board level objectives and solve board level problems. Do CISOs today effectively bring a board level security solution to the table? Or, how does a CISO’s ‘solution’ stack up against competing executives’ pitches for budget?
The argument that CISOs are ‘stuck’ reporting into the ‘wrong’ executive is a function of the perceived value they deliver. Where you report often speaks to where the business believes you have the best chance at having success. Business executives want to maximize success and minimize failure.
What is the ‘right’ amount of security investment? Most things in life (e.g. buying dinner, a vacation, or a house) it’s easy to see the relationship between cost and expectation. This works with most departments in business as well (e.g. R&D, marketing, sales, legal, IT). There is a reasonably obvious connection between quality, quantity, pace, and cost. Unfortunately, using conventional approaches a CISO has a challenge linking what the business gets from an amount of investment. Is there a way for a CISO to provide a plan, like the other department heads, to strongly link and measure quality, quantity, and pace to achieve an agreed expectation of results?
The reality is that business executives do:
- Care about protecting vital business assets and interests. In fact, their personal brand is on the line as business executives are coming under direct fire in the aftermath of cyber breach.
- nderstand the scale of the problem, and they are terrified about it. In fact, they have little confidence that a public breach isn’t imminent, and they see the consequences.
- Want credible cyber resilience options, but they aren’t receiving them from the CISO. This puts business executives in a bind and corners them into producing the most common tangible option as a CYA, which is usually compliance to a security framework. This is easily perceived by the CISO as only wanting a ‘checkbox for security’
- Have a fiduciary duty to spend wisely. Executives are “damned if they do, and damned if they don't” with investment in security. Because the CISO doesn’t bring credible security investment options, nor justified results, but the obvious need to protect business interests from security breach, they are caught in an opportunity-cost Catch-22.
If a CISO cannot pragmatically solve board level security problems; if they cannot establish costs vs. agreed expectation of results, and provide a credible business plan, then it seems to follow that they are not punching at the Board level.
Because it is clear that security is a board level problem, and the CISO is not bringing board level solutions, the reasonable outcome is a tough life for the CISO and limited authority and scope. Unfortunately, the trickle down is poor morale and hiring and retention challenges which exacerbate the perception and execution problem of the CISO.
The best thing Boards can do is manage cybersecurity risks as they would any other business risk. To be effective, there must be a working relationship between business executives and the CISO, where the CISO has aligned goals, strategy that drives cyber resilience options, a business plan that gives leadership clear risk appetite choices, and an implementation plan that delivers results.
Douglas Ferguson, Founder and CTO of Pharos Security