Before we delve into the reasons why CISO roles fail or to be fair are rarely effective to the extent an organisation needs them to be, we should explore the role.
The ideal list of CISO responsibilities include:
Devising a security program to establish security policies, standards, and guidelines.
Strategically plan to align security with the business’ direction, and objectives to support the business.
Investing in security capability to drive cyber resiliency driving down cyber risks.
Acquiring sufficient funds to address security concerns and enable future security investment.
Articulate cyber security risks, communicate security strategies and report on security progress to senior management and other C-level executives.
Communicate the security strategies to subordinate security staff and govern their implementation.
Aim to meet or assist in meeting the organisation’s compliance requirements.
Ok! Now that we have that out of the way lets explore some of the reasons why the majority of CISOs aren’t overly effective at their job.
Qualifications
In my experience it is rare to find a CISO that has the necessary experience and qualifications. CISOs need to have a broad understanding of all area’s of security. They need to understand, at a minimum, security controls, the security industry, security frameworks, cyber industry trends and the organisation’s threat landscape. They need to understand the business extremely well. The CISO’s role isn’t a role that can be performed by someone that hasn’t had a lengthy career in the cyber security industry.
My personal preference is that a CISO is an individual that has worked their way up from the lower ranks, from the trenches, eating and breathing security daily. You know the stuff that gets your hands dirty! Too many times I see people taking on the CISO position from another field due to them already holding a senior position, or having extremely little time in the cyber security industry. I would expect CISOs to have around 10 years’ experience in cyber security before they move on up to a CISO role, with the preference of having held several cyber security roles.
Experience is one thing, but it must be complimented with formal qualifications. The CISO needs to hold an IT university degree, obtain security industry certifications from organisation such as the International Information System Security Certification Consortium (ISC)2 or the Information Systems Audit and Control Association (ISACA). There would also be the expectation that they have formal training or be certified in risk management standards such as International Organisation for Standards (ISO) 31000. They need to constantly attend cyber security industry conferences and training and be active in the cyber security community.
CISO: a pathway to the real C-level executive positions
Well, there I said it! No turning back now! Yep, so many individuals see the CISO position as a steppingstone to more well understood and matured roles in the C-level suite. The most notable transition I see is CISO to CIO. For this reason the CISO role is an attractive option to progress your C-level desires, and is one of the reasons why we see many unqualified individuals fill the position. This is of course possible as the role of a CISO is poorly understood (as is security to date, though better than 20 years ago). With a poor understanding of the role comes a poor understanding of the suitable qualifications and experience needed to actually do the job. This of course ties back to my previous paragraphs above regarding qualifications.
Money Troubles
They say money can’t buy you happiness…perhaps…. but it sure can buy you a lot of security to reduce unacceptable risks to an organisation. If only we had a position that has the responsibility to get us that money to fix our security woes. Oh yeah, we do! Enter the CISO.
As a CISO, you need to have the ability to ask for money and get it from the rest of the C-level executives/ Senior Leadership Team (SLT), namely that very frugal CFO. Don’t just come up with a nice strategic plan and costings on how you are going to increase cyber resiliency. Cyber what now? How will that help us and help us make more money? Those are the questions the organisation’s board will be asking. I never said it was an easy task but there are a several approaches a CISO can take to fill their money jar. The most predominant three are listed below.
A Risk Lens
If the organisation has a very well understood enterprise risk management framework, then providing a risk assessment containing the top security risks should be an acceptable approach. It is important to link the funding into the risk mitigation of each risk. It is also important to emphasise the attributing consequences not just the likelihood for each risk. The reason I say this is the board will have a greater comprehension and take more notice of the consequences such as financial loss, loss of life, legal action, fail compliance regulations and damage to business goodwill/reputation. (Note I am not condoning scare mongering, so don’t be too aggressive with this approach). This is opposed to solely focusing on likelihood of risks which talks about probability, with language like 1 in 100-year or 1 in 10-year chance of an event occurring. The best way to lose your audience.
The Distributed Funding Model
If the concept of risk management is foreign or the organisation just loves highly rated risks or they don’t truly understand the meaning of a risk, have no fear as this approach is for your CISO! The CISO in this situation can start to look at other benefits of security not clearly seen through a risk lens. Security can be an enabler for organisations such as moving into other digital channels, deploying further functionality for customers, partnering with other organisations, and implementing new technology to give them the edge over the competition. It can also be seen as assisting in building agility to respond to changes in the market.
This approach relies on the CISO ensuring that security is costed as a mandatory component of other proposals or business cases asking for money. For example, a budget for a new mobile app must include a percentage of security funding. Jointly across other budget submissions the funds are pooled together and used across the programs/projects which in turn allow for security services to be delivered to them. It also provides the important opportunity to utilise the funding to build security capability that enhances the security resiliency. This source of security funding can't be solely relied on as a dedicated investment is still required, but it does go along way in bolstering the security budget and ensure existing security services cover the increase in organisational growth.
It's Strictly Financial
With this approach, the CISO ties the cyber resiliency budget to a financial exposure amount. That financial exposure amount is the cost the organisation would incur from a cyber security incursion. The cost is the total of financial loss across all the relevant consequence scenarios in the organisation as defined by the enterprise risk management framework e.g. business reputation, legal cost, non-compliance, and financial loss. This should be represented in a graphical chart showing the correlation between the yearly cyber security budget and yearly cyber security exposure over several years. An example chart can be seen below .
The Odd Couple
Here we look at two unlikely roles that need to work together when wanting to secure a healthy security budget. In one corner we have the CFO who is driven by cost management and profitability. In the other corner we have the CISO who is concerned with digital security and infrastructure. On the surface it definitely looks like a misalignment and competing priorities.
Lets looking more closely at the roles. The CFO is uniquely positioned to decide the risk tolerance of the organisation. They look at the regulatory environment, the financial capacity of the organisation to absorb losses, their strategic objectives and market conditions to determine the level of acceptable risk. The CISO essentially looks at the management of cyber risk, being just another form of business risk which can affect financial loss through a raft of consequences e.g. fines from regulators and clean up costs of ransomware events or cyber incursions.
Both positions should utilise a common language and understand each other's role in the organisation to realise that they are allies instead of foes. They should work together to ensure a strategy to mitigate those risks is clear to the CEO and CIO, and develop an investment strategy aligned to achieve the mitigation objectives. This last point is pertinent as cyber security budgets are ultimately decided by the CEO, followed closely by the CIO due to organisational hierarchy. The CEO and CIO have many competing priorities, so again a joint effort by the CFO and CISO makes for an effective team to put forth a strong case for strategic and tactical funding.
In the Real World
Typically, the CISO would gauge the type of organisation, and the personalities in the C-level suite to select a way that will work best. The CISO should not rely solely on one approach. In reality, it should be a combination of the above mentioned approaches that will be most effective. As the organisation changes over time and different people fill the C-level positions, the CISO should not feel apprehensive to change the strategy.
Nothing to see hear, move along.
To preserve one’s role, I have seen many CISOs downgrade risks or overstate their cyber resiliency capability to give the perception that they are performing well at their role. Unfortunately, this is counter intuitive as it is less likely that sufficient funding will be forth coming to bolster security. It is somewhat alarming to see this behaviour considering most organisations are well behind in their security maturity. Unless an audit or security incursion/incident takes place, this behaviour is seldom brought to the attention of other C-level executives.
Steer the ship, not man the oars.
A CISO must be able to utilise the individuals he/she hires in their respective fields. The CISO’s subordinates are the subject matter experts. Work with them, review their reports, conduct regular workshops, and listen to their opinions on a wide range of matters. You should not be doing the leg work in a particular cyber security field or pretend to be an expert in technical steams. A well informed CISO will make better, justified decisions. Clear direction is also important. The CISO should ensure each team is given clear direction, tailored to their area. A strategy or policy providing the cyber security direction may mean different things to different teams.
Final Thoughts
Whilst this is not a comprehensive list of issues hampering the effectiveness of CISOs, they do highlight some areas of concern. As the industry does mature over time, I hope the CISO role will become better understood and be performed by more qualified, experienced individuals. Unfortunately, as over 20 years of experience in this industry has shown me, the rate of improvement in the cyber security industry moves at a snails pace in contrast to the technological developments.
- By Security Truth
A very insightful article!
Excellent article!😀