Three decades ago, the invention of the chief information security officer (CISO) role seemed like a brilliant idea. Imagine the benefits of a C-suite position for cyber security and how such an executive role would help ensure members of senior management take the issue seriously and provide needed support across the organization. Maybe. Maybe not.
The first generation of CISOs primarily focused on creating information security programs and the role of security relative to emerging compliance demands across the public and private sectors and the needs of the board’s audit committee. Unfortunately, unlike their physical security counterparts, CISOs largely did not specifically focus on the protection of assets and the mapping of bad guys (threat) and vulnerabilities to those assets, but on the efficacy of the compliance efforts regardless of the effectiveness of the actual controls. This approach has created a gap in skills and a focus in the industry that has haunted CISOs ever since.
Cyber security is a multi-billion-dollar industry that continues to spawn more technology and more high-paid jobs than most other areas of IT. But where is the evidence that all of this investment, growth, training and effort have helped the industry improve their abilities to detect and deter the bad guys? Fear, uncertainty and doubt often show up in the PowerPoint presentations of vendors and in the internal marketing agendas of CISOs, but the corresponding solutions have not produced the tangible business value or effectiveness that have been demonstrated in other IT fields or even in adjacent fields such as fraud detection or physical security.
Criminals, nation-states and activists seem to be successful at cyber attacks whenever they wish to be. Gone are the days of statements from CISOs such as “we have never been breached.” Many CISOs now set the bar fairly low on protecting the most valuable corporate data versus creating the boardroom expectation that data breaches are inevitable. Some CISOs blame the early focus on compliance, or IT’s focus on agility and technology change, or the ineffectiveness of security technology as causes of the current predicament. Others feel the real problem is the lack of resources, whether budgetary or properly trained cyber security people.
CISO to Chief Scapegoat Officer ASAP
It is not surprising given the lower expectations and results that some well-intentioned and seasoned cyber security professionals go from CISO to Chief Scapegoat Officer in short order. Part of the problem is that even after nearly 30 years, the purpose and promise of the CISO is still very much unsettled. Some believe CISOs are not powerful enough or properly positioned in the organization to accomplish the job they have been asked to do.
There are long-standing arguments over the proper reporting relationship of the CISO. If the CISO reports to the chief information officer (CIO), he/she can have direct impact to the IT organization and a seat at the table, but many CISOs continue to believe that such a relationship removes “independence” from the CISO’s agenda.
On the other hand, moving the CISO to report to a non-IT supervisor, such as a chief operating officer (COO), may place the position under someone who does not adequately understand technology in some industries, or may not devote the level of interest to the CISO’s agenda versus actual or perceived revenue-generating activities.
What Top CISOs Know
What many top CISOs do know is that to be effective going forward, they must understand the business and make themselves relatable. Over the long run, CISOs cannot maintain the levels of growth in capex and opex spending they have enjoyed unless they can demonstrate a clearer linkage to business results, deliver protection of shareholder and business interests quantitatively, and measure the impact of their efforts in ways that non-security and IT people can understand.
Although the CISO role still is nascent compared to many C-level jobs, it must evolve faster to survive—with agility and a scope that spans security, business, IT and corporate governance.
Eddie Schwartz is board director at ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance. Read more ISACA blogs here.