The role of cybersecurity within organizations has changed dramatically over the last decade. What was once a desk in the IT department has become a separate unit with its own leader. That leader has various titles: head of security, chief security officer (CSO) or chief information security officer (CISO). For our purpose, we will combine all under the generic title CISO.
Just as the role of cybersecurity is evolving, the role of the CISO also continues to evolve.
In this new CISO Conversations series, SecurityWeek talks to top CISOs from major organizations within the critical industries. The purpose is to discuss the role of CISO, and what it takes to be a successful CISO.
One of the biggest changes in business over the last few years is the arrival of the Fourth Industrial Revolution (4IR), also referred to as “Industry 4.0”. This is based on the digitization of business processes. Technology is no longer a support for business, but the foundation of a business that interconnects multiple local data centers, remote cloud applications, the supply chain, remote customers, and all connections between them.
At the same time, attackers have become more sophisticated, threats have become more severe, and governments have become more demanding in their regulatory requirements. It is no longer enough for security to just protect data – security must now enable and ensure the very continuity of the business it supports.
To achieve this, the CISO must be integrated into the fabric of the business itself and have detailed understanding of business processes and priorities. It is a moot point – and one we discussed with our two CISOs – whether today’s CISO should be a technical expert or a business specialist.
“CISOs need to be both,” says McMahon. The CISO operates at the intersection of technology and business. “They need to be able to translate and work and manage in a business executive context as well as in a technology context.”
O’Hern has a similar view. The CISO has become an integral part of the C-suite management team, and the CISO includes all facets of what should be expected from any other senior executive. That combines, he said, “fiscal responsibility with a technical aptitude to really deliver on managing risk for the business.”
But if a CISO now needs to be a business specialist, does he still need to be a technician? O’Hern says, yes: “I don’t think you can survive without a strong technical background because you won’t have the ability to make risk-based decisions or define the programs that will improve the company’s security posture without a strong understanding of the technical side of things.”
This raises the question of where this new C-level business-come-technical executive should reside in the company’s organizational structure. Many people argue that the CISO should now sit on the board with other senior functionaries. Surprisingly, neither of our CISOs think this is necessary – having the ear of the board is more important than being a part of the board.
“I don’t know that the CISO needs to be on the board,” said O’Hern, “but at a very minimum the CISO needs to participate with the board. I think it is important that today, the board of directors understands the cyber risks that face the company and is well-versed in the programs, the posture, and how it gets executed within the business. I believe that in today’s environment the CISO role has really evolved to be a true member of the C-suite, someone who sits at the table with the board of directors at least on a routine basis to continually update them on the posture of the organization.”
Sitting down with the board, then, is more important than being a member of the board. “I think the best operating model for how a CISO can serve a company,” said McMahon, “is where the CISO has regular interactions with the board of directors and where the CISO is present in the room with the board. They need to have a seat at the table from an operational or operating committee perspective, and for that they need to be able to be in front of the board directly.”
Getting in front of the board on a regular basis has another advantage – it provides the opportunity for CISOs to use their soft skills in high-level networking. Apart from further embedding the need for strong cybersecurity within the organizations, it has an additional surprising benefit. Both of our CISOs noted that in such meetings, someone would almost always ask, “Do you have enough resources to do this?”
The organizational structure of company and security is further complicated by the growth of regulations and the need for compliance, particularly on consumer privacy issues. There are now additional data privacy officer and compliance officer functions; both require as much legal as technical/security savvy – but are still closely intertwined with the security function. The question is then whether the CISO should also be the Data Privacy/Compliance Officer.
The answer is simple: it depends on the company and the CISO. McMahon thinks the functions should be separate in larger organizations. “For privacy,” she said, “there is a lot of legal involved. In Verizon, our chief privacy officer is an attorney. CISOs are not normally attorneys. So, the CISO also being privacy/compliance officer is not common in larger companies. But,” she added, “I do think that combining the CISO with other functions makes sense in certain conditions — so if a company has a really great CISO, challenging him with other functions makes a lot of sense.”
The relationship between compliance and security is frequently discussed, with common comments being ‘compliance is not security’, and ‘compliance is a good basis for security’. McMahon believes that once a regulation exists, it is too late to do anything about it; and, she says, “It’s just the cost of doing business.” In this view, the CISO has two separate roles: post regulation, it is to work with other stakeholders within the company “to translate the regulation into the company’s privacy and security program and just go make it happen.”
Pre-regulation, however, CISOs “need to work as part of their industry consortiums, to engage with the regulatory agencies so that the regulations that are implemented make sense, they can be applied, and they actually enhance security.” Overall, she supports regulations – not so much for her own company, but because they can raise the basic level of security elsewhere: “Because there are companies out there where I have concerns they aren’t doing the basics that really should be done.”
O’Hern has a different view. “I don’t see regulations lending themselves well to cybersecurity,” he told us. “There’s too much change, there’s too much evolution — I just don’t see how that would be any benefit in a security space.” O’Hern’s concern is regulation cannot keep pace with either technology or criminal activity.
But he added, “I think there is a need for more standards. So, not regulation, but we need to continue to push things like the NIST Cyber Security Framework. I think IoT is a ripe area for improved standards, and I think as a community, we could do a better job of coming together and pushing standards and guidelines and best practices. As we push forward, and you think about 5G and the explosion of IoT, standards are going to be really important.” So, standards, not regulations.
With such a complex and responsible role, stress-related burnout is common. “It is a stressful position,” said O’Hern, “because we’re dealing with adversaries we don’t know about. There is a constant evolution of attacks. If I just look at my role at AT&T, I not only play in the telecoms space, but I’m also part of the national infrastructure protection. We are in the entertainment industry; we’ve got a whole retail operation, we run a massive energy grid across all these systems and platforms, and we have direct-to-consumer services. It’s a daunting task. It’s something you carry with you every day and take to bed with you at night.”
But, he adds, there is some solace in job satisfaction and teamwork – in the quality of the team around the CISO. “You can look at the pressure of all the attacks, and the geopolitical environment and the threats that exist – and then there’s a balancing piece in the satisfaction you get from innovating and delivering solutions that are not only user friendly, but also improve the security of the company networks.”
Finding and recruiting that team around you is just another problem. There is a well-documented and severe skill shortage in cybersecurity. O’Hern believes in and operates a robust internship program to bring college students in. “While you get to know them, they get to know you. You train them, expose them to different areas of the business – and you make them an offer before they return to their senior year. We’ve found this to be a very effective method – even if we’re paying a little bit more in compensation – more effective than trying to hire people off the street.”
It’s not an easy solution. Existing staff must mentor the interns and give them challenging assignments. This can be a burden, but can work if the CISO and his team are committed. “We’ve seen huge benefits from the quality of the people we’re bringing in,” said O’Hern.
We asked O’Hern if the concentration on college graduates means that the industry misses out on the natural talent that – for whatever reason – does not go through college (such as Asperger’s sufferers, for example). He confirmed that concentration on cyber certification is an issue.
“I would guess that any CISO sitting in a CISO chair today does not have a cybersecurity degree, because they didn’t exist five years ago. None of us went to college to become a CISO or CSO — we all came out of different fields. We all arrived at our chair not by some formal education but on-the-job learning.
“I would say the single greatest trait that anybody can have — and I would hire them in a minute — is passion. You’ve got to love this stuff. I think there is a tremendous opportunity for individuals. There is a certain credence to having a college degree, because it helps you clear some hurdles – but I do think that if you are committed and you have passion, then there is a place for you for sure.”
We asked McMahon if a positive attitude towards diversity could help the skill shortage. She agreed. “There are two coinciding trends,” she said. “The first is that companies have figured out the value of having a diverse workforce. The benefits of an inclusive workforce to a company’s bottom line have come into clearer focus, and companies that don’t embrace diversity risk getting stuck with a narrow view, doing things the same way they’ve always been done. So, managers in traditionally male-dominated technical fields like security are doing a lot to broaden the experiences and perspectives on their teams, including bringing on employees who don’t fit their stereotype of a technical cybersecurity expert.”
She continued, “The second is the well-documented need that companies of all sizes have for cybersecurity talent. Organizations’ security needs are going to continue growing in the coming years, and there’s a shortage of people in the pipeline today. Companies are hungry for security talent at all levels, and qualified jobseekers have a lot of options. Even if you’re not technically inclined, companies will also need to manage their growing cybersecurity teams with more dedicated support roles (think project managers, people managers, finance and operations specialists). I firmly believe there are terrific opportunities everywhere in cyber security for women, whether they’re recent graduates just joining the workforce or more experienced workers looking to apply their skills to a new career path.”
Being a CISO is a huge and complex role. It requires continuous on-the-job learning for new technologies and techniques, coupled with the soft skills necessary for man-management and intra-company networking. It requires the ability to learn from and teach others — to give and receive advice. We asked our CISOs what was the best advice they ever received.
For O’Hern, it was no single occurrence. “I’ve had a lot of great mentors,” he said. “I think the best advice, seeing that I work in such a large corporation, is really some tips and techniques along the way: to figure out how to get the critical things that you need funded, implemented, and supported… It’s not enough to just have a great idea, or come up with a great innovation, you must get it implemented with a mature support model. We’re at such a massive global scale here,” he added, “I think some of the guidance I’ve got on how to prepare business cases, how to address the technical community, how to put together a full package that walks through the threats, the risks, the balance, the financial impact, the RoI… all the elements of how to get your stuff funded. That’s probably one of the key learnings I’ve had.”
For McMahon it was this: “A veteran CISO once shared the following quote by Donald Rumsfeld: ‘You go to war with the army you have, not the army you might want or wish to have at a later time.’ He explained further that your job is to fully leverage every resource at your disposal and build the capabilities you need to deliver on your company’s strategy and brand promise.”
In turn, she offers the following advice to new CISOs: “Learn to influence, negotiate and work effectively with stakeholders. As a security leader, you will have more overall impact through the work you influence within the company, versus what you directly manage and control. Ask yourself daily, What can I do to become a more effective security leader and deliver more value for my organization?”