We see continuing confusion regarding the CISO duties in many organizations. When I saw this opinion piece in SC Mag by an experienced CISO (David Nathans) with both commercial and defense sector experience, I figured we might finally get some clarification. Yeah, I should have known better.
I have been involved in a lot of debate on whether a CISO should be a technical leader or more of a policy writer.
Technical leadership and policy writing are not among the first CISO duties that come to my mind – not even close.
David then explains that the CISO’s duties vary by company. Uh, no. Let me try to be clear here. The duty of the CISO is to be responsible and accountable for the organization’s security program. Period. But the definition, objectives, expectations, and funding models for the security program all depend on the organization.
Clearly how the security program is implemented varies from company to company. That’s why we see so many experienced business folks taking on the CISO job. Typically after the technical guys fell on their swords, multiple times. I call these folks, “Mr/Ms. Fix It.” They don’t know a lot about security per se. But they know how to get things done in the organization.
When you are asking folks to do things they don’t want to do – which is basically always in security – you need someone who either has compromising photos of key execs, or is a credible businessperson with a long track record of accomplishment within the organization. That credibility provides enough runway to get the security program moving. Without CISO credibility any security initiative will be stillborn.
He also mentions the need to partner with the business to enable secure innovation; and not putting the organization at risk by pointing out potential issues with emerging business plans, technical services, and partner communications.
The security team’s function could be implementation or just be a validation that chosen technology complies with security policy. A CISO and his or her organizational leaders need to be able to direct technical staff to ensure business objectives and risk tolerances are met.
That is a critical duty for the CISO, which absolutely requires credibility with the business leaders of the organization.
David’s point about the criticality of communications is spot on. Whether it is trying to coerce peers into getting with the security program or providing information about a breach or other attack, the ability to communicate at a high level, in business terms, is absolutely a critical success factor for the CISO.
This is no easy task, as the person filling the CISO role needs to be able to articulate complex technical issues and risks effectively and in a way that is clear, quick to the point, can be well understood, and does not cause any unnecessary panic.
But let’s not forget that without credibility, the CISO (any executive, for that matter) has very little chance of success.
Photo credit: “There goes your credibility” originally uploaded by Hrag Vartanian
Reader interactions
One Reply to “Credibility and the CISO”
I think much of the confusion comes from title inflation. We need to get over the thinking that the most Sr. security person is called a CISO regardless of what they do. Consider…
If you report to someone who reports to a CIO, you probably have a very technical role. If you are the most Sr. security person, you might have the CISO title. You aren’t a CISO, you are a IT security operations manager.
Maybe you’ve done OK and you’ve been promoted. You have a slightly larger team now and maybe a manager below you looks after the technical stuff. You figure you need to focus on policy. You might still get called into technical escalations. That’s all fine. But you still aren’t a CISO. You might be an IT security director or similar.
You leave IT, maybe reporting to Risk, Compliance or some other control function. You are beginning to influence the thinking on information security as a risk issue with broader scope than just technology. You still aren’t a CISO. You might be a Director of Information Risk Management or similar.
You have your own budget. You are the peer to the CIO and other executives. You are involved in business decisions and advise on the security risks in corporate strategy discussions. While you may not directly control the security staff (they are embeded in IT, in partners and in line of business areas) you oversee the strategy for securing corporate information assets. This is a board level issue. You are a CISO.
There are very few security programs at the level of maturity where their leader is rightly called a CISO. Until we wring out the pretenders we’ll always be left with a lack of clarity.