Chief information security officers (CISOs) have today replaced chief information officers (CIOs) as the most undervalued C-level managers. In fact, according to a survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), almost one third (29 percent) of companies today still have no CISO role or equivalent. And for those who have such a role, CISO is often rejected as "glorified administrator" status rather than strategic business verifier.
Therefore, CISOs are almost fired or "resigned" after major data violations. When the shareholders and customers ask for blood after a crime, the CISO is the victim lamb, even though there is no realistic way, CISO could have prevented the crime under the operational circumstances (which may include insufficient budget, number of employees and business visibility). This is often a self-stunning act, as CISO is usually the most qualified person to handle post-mortem regulations, remediation and compliance checks.
In many ways, the situation of today's CISO mimics it as CIOs in the 1
Cyber Security is a Secondary Risk
Cyber Security is incredibly often not a top priority in corporate risk management. There are several factors driving this phenomenon, including:
- Many organizations have not established a consolidated governance, risk and conformity responsibility, so cyber security works in its own silo, with business leaders often happily unaware of potential cyber risks until something goes wrong (aka, a data breach).
- Historically, the financial risk for cyber security has not been as serious as traditional risk forms, such as trials, supply chains, competition issues, etc., so the managers have not increased cyber security to its appropriate emphasis. This is becoming increasingly dangerous, as real teeth rules, such as GDPR, are enforced, and cyber criminals become more enchanted with ransomware and other attacks that can cause harmful business.
- Company requirements often require security, so companies will proceed with digital conversion initiatives without undergoing appropriate security checks. This has dramatically expanded the company's "attack surface", as companies adopt new IT paradigms, such as cloud and mobile, without taking appropriate security measures.
These problems have given security a bad name – they are "the guys who always say no" to new digital business projects – so many business executives also do not think of inviting CISOs to strategic discussions or deliberately avoiding doing so to prevent security roadblocks from new initiatives.
This dynamic exposes many companies to potentially devastating consequences. And at this age of GDPR, California's Consumer Protection Act, and next-generation ransomware and denial of service attacks, a company's security capability also becomes a survival problem.
Put it all together, and many CISOs today exist in environments where they are not understood by business executives and are therefore not part of business initiatives until it is too late and security risks expose the company to cyber attack and compliance violations. All of this is done through a global failed skills shortage that has left the staff overworked and focused on everyday "keeping the lights on" activities, rather than more strategic pursuits that could develop the business (like securing the next digital transformation initiative). And finally, CISO's the most comfortable scapegoat when bad things happen, so data violations hang over their heads as a career-sending sword of Damocles.
Time to walk a walk
What is a CISO to do? Simple – go up and take a walk (literally, not figuratively).
CISOs should follow the leading technology pioneered by Bill Hewlett and Dave Packard in the late 1950s: leadership by walking. They should make a point of getting outside their security bubble and walking around the company, talking to businessmen about their latest initiative and goals.
This is the most common advice I give to CISOs – because "bubble capture" is the most common disease I see. Walking and talking to businessmen not only provides CISO's valuable information that should be included in the security strategy. It also gives them the opportunity to educate business leaders that they are not block blocks or "necessary evil" and can instead dramatically improve the long-term likelihood of success with business initiatives. They can educate everyone – from product managers to the CEO, up to the board – that digital transformation is not the ultimate goal of the business. secure digital transformation is.
Walking around will also be a valuable training to speak pure English. Many CISO have difficulty communicating their values to business executives, simply because they have not mastered the ability to express their business in terms that are meaningful to those managers. To pronounce the CFO that you successfully failed 2,345 attempts at intrusion into the network does not mean anything in business terms. To tell the CFO that your data security project will protect the company from GDPR violations that can amount to 4 percent of annual revenue will mean a lot.
To create a more sustainable and rewarding career path, CISO's make the same transition CIO made around the turn of the century – the transformation from "techno-geek" to "businessman who is also a technical expert". Therefore, many of today's most successful CISOs have MBA degrees. According to a 2018 Forrester Research report, 43 percent of Fortune 500 CISOs have an advanced level, and about half of them are MBA. Leading CISOs know they must be businessmen first, technical experts second.
This transition will not happen organically. CISOs must do that. Organizations that do not include CISO in business discussions will not suddenly "see the light" and roll out the red carpet at the next board meeting. Instead, CISOs must be known as professionals who understand the business and can take the risk of the next generation of digital initiatives. Getting an advanced business finance will certainly help in that effort. But gradually or no degree is the easiest way to change the conversation around security: Simple: Remove your butt and walk around.
Joseph Schorr is a global executive director at Optiv Security in Denver. He works with large companies CISOs to solve their most important security issues.