Chief Information Security Officers (CISOs) today replaced Chief Information Officers (CIOs) as undervalued C-level executives. In fact, according to research by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), nearly a third (29 percent) of companies today do not have a CISO role or equivalent. And for those who play such a role, the CISO is often transformed into a "glorified administrator" status rather than a strategic business enabler.
Because of this, KISOs are almost always fired for serious data protection violations. When shareholders and clients ask for blood after a breach, the CISO is the sacrificial lamb, even though CISO could not have found a realistic way to prevent the breach under operating conditions (possibly with insufficient budget, number of employees and visibility of the company comprises). This is often a self-destructive act as the CISO is typically the most qualified person to perform forensic examinations, cleansing and compliance checks.
In many ways, the plight of today's CISO mimics that of the CIOs of the 1
However, companies have been slow to tackle this digital transformation. Of the companies that held a CISO role, only 44 percent of ESG / ISSA respondents indicated that their CISOs work well with CEOs and boards of directors. As a result, CISOs today often make the same complaint as CIOs in the 1990s: "I can not get a seat in the boardroom."
Cybersecurity remains a secondary risk
Surprisingly, cybersecurity is often not a top priority in enterprise risk management. There are several factors that influence this phenomenon, including:
- Many organizations have not established a consolidated governance, risk, and compliance area, so cybersecurity operates in its own silo. Managers are often unaware of the potential cyber risks Something goes awry (aka data breach).
- The financial risk of cybersecurity has historically not been as high as with traditional risk forms such as lawsuits, supply chain disruption, competitive issues, etc., so executives have not been charged with cybersecurity on an adequate basis This is becoming increasingly dangerous as regulations enforced with real teeth such as the GDPR Cyber criminals will become more insidious through ransomware and other attacks that can disrupt business operations.
- The company's requirements often represent the company's security requirements, enabling companies to drive digital transformation initiatives without performing security audits. This has dramatically expanded the company's "attack surface" as companies adopt new IT paradigms, such as cloud and mobile, without taking appropriate security measures.
These issues have given a bad name to security – they are "the people who always say no to new digital business projects – so many executives do not think about inviting CISOs into strategic discussions, or deliberately avoiding safety barriers for new ones Initiatives to Prevent.
This momentum is causing many companies with devastating consequences, and in this time of the DSGVO, the California Consumer Privacy Act and the next generation of ransomware and denial-of-service attacks, becomes a company's ability To provide security, even to survive.
All together and many CISOs today There are environments in which they are not understood by executives and therefore only be included in the business initiative when it is too late and security breaches the company cyber attacks and Suspend compliance violations, all this happens in the background a global lack of cybersecurity skills that has reworked employees and focused on mundane activity rather than pursuing strategic activities that could drive the business forward (such as securing the next digital transformation initiative). And to top it off, CISOs are the most convenient scapegoat when bad things happen so that data breaches like a Sword of Damocles are over your head.
Time for a walk
What is a CISO? ? Easy – get up and take a walk (literally, not figuratively).
CISOs should follow the pioneering method developed by Bill Hewlett and Dave Packard in the late 1950s: management by running. They should focus on getting out of their security bubble and moving within the company to talk to entrepreneurs about their latest initiatives and goals.
This is the most common advice I give CISOs – because "bladder confinement" is the most common disease I see. When walking around and entertaining with business people, CISOs not only receive valuable information that should be included in the security strategy. It also gives them the ability to inform executives that they are not roadblocks or "necessary evils" and, instead, can dramatically improve the likelihood of corporate initiatives succeeding. They can all educate – from the product manager to the CEO to the board of directors – that digital transformation is not the ultimate goal of the company. A secure digital transformation is.
Running around is also a valuable training for simply speaking the English language. Many CISOs find it difficult to communicate value to leaders simply because they do not have the ability to formulate their operations in the form that matters to those executives. Notifying the CFO that you have successfully thwarted 2,345 attempts to intervene in the network does not mean business. Notifying the CFO that your data protection project would protect the company against DSGVO violations, which could account for 4 percent of annual revenue, means a lot.
To create a more sustainable and rewarding career path, CISOs need to create the same CIOs for transition at the turn of the century – transforming "techno-geek" into "entrepreneur who is also a technology expert". That's why many of today's most successful CISOs have an MBA. Forty-five percent of the Fortune 500 CISOs have advanced degrees, and about half of them are MBAs, according to a Forrester Research report from 2018. Leading CISOs know that they first have to be business people, second, technical experts.
This transition will not take place organically. CISOs have to make it. Organizations that do not engage in CISO business discussions will not suddenly "see the light" and roll out the red carpet at the next board meeting. Instead, CISOs must be seen as professionals who can understand the business and risk the next generation of digital initiatives. An advanced business will certainly help. But grad or no degree, the most effective way to change the conversation in the field of security is simple: get off your butt and run around.
Joseph Schorr is Global Executive Services Director at Optiv Security in Denver. He works with CISO's large companies to solve their key security issues.