Do you really listen to your CISO? Let’s be clear not just figuratively Now relax I am by no means attempting or advocating a 187 but over the last few weeks I have been reading a lot of good posts on LinkedIn about the role of a CISO in the “modern” workplace and lets be frank here not a lot of workplaces are really that modern, but happy to be corrected - I find it is more lip service than action. But that is just my opinion
Over the last few years I have seen both personally and professional the role change so dramatically I am now somewhat confused as to what companies think their CISO should do. (supported by a 10 page JD and very long wish list). Any CISO worth their salt knows full well the challenges they face on a day to day basis, but what is more damaging to companies wanting the CISO to be jack of all trades or a master of none, to be the technical expert (or not in some cases) to have the answers like the oracle from the Matrix, (just take the blue pill live will be easier) but then accuse us of talking in riddles. I give up! If fundamentally knowledge is power and then speaking truth to power which is not always easy why is it that I feel as a CISO I consistently have a target on my back and we are the easy ones to blame when things go wrong
So, a couple of thoughts to spark a little debate and to be frank I have a few questions. So, are you as a senior leader part of the problem or part of the solution – so what is the point in having skilled, talented expert advice for which many of you will pay a premium? If you just choose to ignore it. Your CISO should guide and advise you, you should not be guiding or advising them, is that not just a pure conflict of interest, or self-interest so a few home truths, applies to both executives and CISO’s alike
“C” Level Role: let’s be all be honest information security is not “C” suite role (In most global firms). Though it should be we are just not there yet. CEO’s talk a lot about it being a fundamentally important, but to be frank the majority of CEO’s or other “C” Level executives a) don’t have the bandwidth to take this on b) shockingly in 2019 they see this as an IT problem and c) it an expense d) and I my personal view it is more like having insurance rather than actually having assurance. Thus someone to blame when it goes wrong, so are you doing what is right for your shareholders? Customers and employees or do you just talk about doing what is right. I see too much of the latter. A recent study by KPMG showed that about 40% of CEO’s are the problem. Does the buck not start and stop with them? Some would say the traditional CEO is probably an antiquated one, so why is security in this interconnected world in which we live deemed less important than other operational risks? Can you function without IT in the modern world, give it a go…? now how secure do you feel about that! (I just sent up a coded smoke signal, hope my food delivery driver got that one!) It should not matter in the end, give your CISO a mandate, delegated authority to act, give them the tools they need to do their jobs. Saying things like “it has not happened to us” of “it will not happen” is just foolish and you’re kidding yourself a mindset like that sooner or later you will be the delivering food via dog sledge – ask yourself this, as a senior leader, how exposed am I. I wonder what answer you will actually get. Better more if you are a NED ask your executive team how secure they actually - would that be a simple or complicated answer, but for CISO’s always fun to watch!
Job Titles; For me I could not give a flying fudge cracker what my title is, as a practitioner call me what you like (always been partial to Starlord, Kal-El or at a push Snuggles!) , but some CISO’s need the title, the team, the numbers, listen first act don’t react! Okay it is an badge of achievement, which I get, it is also something that is earned over time, if you have been working in security for 3 years, mate you are not a CISO however if you an expert in your field does it matter? The title will not “command” respect and you are not there to police, so why do so many CISO’s feel the need to automatically be hostile - if you are smart and act in an agile way with a good framework and clear target operating model and you can rely on and executives that are open and willing to listen you might be able to get somewhere. Forget the title, focus on the outcome and delivery! Nothing is too hard. for thee executive’s be smart about who you hire, posting jobs for CISO’s at £35,000 is just nonsense not all CISO have the same focus not all have the same work ideology and we are human not robots! Communicate Communicate and do it again.
Reporting lines; Always has been a tricky one. I have worked in companies where security is only deemed as an IT issue, okay if were still in 1980’s, using dial up modems and messing around with RACF profiles sure, would have made sense. Its 2019, it is not just an IT issue it is about Risk, so why do companies still insist that CISO’s should report to CIO’s or CTO, generally with little or no knowledge of the discipline. Which in turn can create more risk – as you spend more time educating them than you do actually educating the masses. In the most simplistic of terms and using the 3LoD as a model for “what good governance” might look like, having security in IT or a CIO or CTO reporting, well is just stupid! Yes, I am being flippant – good risk management has to start with common sense. I set a policy for my CIO to follow and or a CTO to implement, now I what to ensure the design and operational effectiveness of control that is applied based on that policy. Simple right? Wrong, some of us are really good at being able to correctly challenge authority some not so, so make life simple for yourself!
HR or People; they should be your best friends, however in most cases they are not. Another antiquated way of looking at the world of Cyber Security. We talk a lot in the industry about a skills shortage in the UK. Again nonsense. I personally know 100’s of talented security processionals, but again HR seem to benchmark from an IT pool and also a very small pool to find talent so open your eyes and look beyond your own narrow thinking, at the end of the day you will get what you pay for in the same breath pay over the odds and you will get the kind of people below
The Champagne CISO; Come on we have all worked for one of these types of people. To busy promoting themselves at a) conference b) writing or posting on Linkedin c) attending events all of which are important but find a balance. This is the first opportunity I have had personally to write anything since January, if I put, my client first, I know that has more value than me doing this! But hey ho!
Appreciate the work. It is not easy, it is not 9-5, it’s not simple it is demanding and all CISO’s will take pride in what we do, don’t use us as the punching back, as that is just bad management, show me leadership.
My final thought thought for part 1. We do not scaremonger. The day has long past for that to be effective, companies are breached daily, it not fiction it is fact. If we are telling a company, they are at risk, take appropriate action. The relationship between an executive team and a CISO is a symbiotic one can’t really function without the other. So, if you take away anything from this post, I would say this, it’s time to start listening.