Security Experts:

Why Some CISOs Fail

How to succeed as a CISO | SecurityWeek

The CISO’s role is not to simply protect IT against risk – it is to defend the work of all departments, and the profitability of the entire business

The role of Chief Information Security Officer (CISO) is new. It’s just 25 years since Steve Katz became the world’s first known CISO. There is no universally accepted definition of the role, its methods or its responsibilities; and CISOs are left to find or forge their own paths. Some fail to choose or find the right path.

Adolescence

“I would say that the role is in its adolescence right now; not yet fully formed,” says Ben Smith, Field CTO at NetWitness. “We think it’s headed in the right direction, but there's always room for improvement and growth.”

Adolescence is the age of rebelliousness. “But it’s also the beginning of maturity,” says Chris Morales, CISO at Netenrich.

Reporting

Confusion over the proper role for the CISO can be seen in the ongoing debate over the correct reporting structure. The majority of CISOs report to the CIO, but the number is slowly diminishing. CISOs are demanding, and businesses are recognizing, that however closely the CISO and CIO need to work together, one should neither be subservient nor dependent on the other. There is an inherent conflict of interest in this relationship that can only be solved by each party being on an equal footing.

It's almost as if the CISO role lost its way since its inception. The first known CISO, Katz, was recruited by the Citicorp CEO under direction of the board. From the beginning, there was a connection to the board. But this became lost over the intervening years. The natural connection between information technology and information security fooled businesses – and some CISOs – into thinking that security is an aspect of IT. It is not. It is an aspect of the business. Its purpose includes prevention of cyber risk to the IT infrastructure, but its overriding purpose is to protect business profitability from all cyber risk.

Morales, who is a successful CISO with a clear sense of purpose, reports to his CEO. “I insisted from the beginning,” he told SecurityWeek. “It was a condition of me accepting the position.”

The precise reporting structure is not critical beyond three conditions: the CISO must have access to the board, should not report to the CIO, and should have his own security budget rather than a percentage of the IT budget controlled by the CIO.

The businessman

The growing maturity of the CISO role can also be seen in the increasing recognition of the need for the CISO to be a businessman, perhaps above and beyond a technologist. This is a process in transition since the majority of existing CISOs have come up ‘through the ranks’ and have a natural grounding in technology. But these CISOs are being forced to acquire business skills to properly fulfill their roles, and to a large extent, their continuing success is dependent on how well they learn these skills.

[ WATCHFireside Chat With McDonald's CISO Shaun Marion (Video) ]

It is another side-effect of the CIO/CISO historical sidetrack. The CISO has lost contact with the reality that he is a C-Suite executive in his/her own right, and needs to behave as such – interacting equally with all the other C-Suite business executives to further the profitability of the business.

One of the big questions is how far this transition from technology to business might go. The relative importance of technology and business skills is not yet clear. The CISO cannot be simply a technologist – but could he/she be simply a businessperson? A common concern for current technology focused CISOs is that with no technology skills, they would quickly lose the confidence of the security team.

However, from the businessman perspective, a businessman with the requisite man-management and soft skills could prevent this by his choice of security team makeup and his/her own communication skills; that is, he would be able to translate business requirements to the technologist level.

The need for a CISO to have business skills to better protect the business focus of the company is growing. “I would say,” comments Smith, “that if you enter into a CISO role with the expectation that you're going to be the most technically capable employee in the security function you are going to fail because that's not what today's CISO is all about.” He goes further to say that the ideal makeup for the CISO is a businessman with technology understanding – but if he was forced to choose between a pure technologist and a pure businessman for this role, he would choose the businessman.

The negotiator

An important aspect of being a businessman is the ability to negotiate – and this is essential for the businessman CISO. Traditionally, the CISO has become known as Mr. No. The CISO is responsible for security, and it is too easy to say, or be perceived as saying, ‘No, you can’t do that because it is not secure.’

This can lead to a negative perception of the whole role of cybersecurity, and – in extreme – the exclusion of the CISO from other business discussions. It is better for the CISO to engineer the environment in which he/she can say, ‘Yes, we can do that so long as we do it this way…’ This requires a high level of communication and negotiation skills, and a good rapport with other C-Suite members – especially, of course, with the CIO.

Early attempts to sell the value of security were clumsy. A common claim has been that the business is like a car and security is the brake pedal – it gives the driver confidence to drive faster. But the analogy doesn’t bear analysis. The car can only drive faster if the brakes aren’t applied – so can business only work better if security isn’t imposed? A debunked analogy is worse than no analogy at all.

A better approach recommended by both Morales and Smith is regular one-on-one, face-to-face meetings between the CISO and other C-level executives. The CISO must understand the problems and issues of his/her partner executives, and then be able explain the security concerns. This requires building relationships.

A CISO who understands why a marketing officer needs to and has spun up a new website, and a marketing officer who understands the security issues that can be introduced, will more likely come to a mutually beneficial and acceptable compromise. Similarly, a CISO that talks to the CFO and understands the problems involved in increasing budget will likely get more and be satisfied with less. A CISO that talks to the head of legal will have a better understanding of what is required for regulatory compliance, while the legal department will better understand what it costs to be compliant.

The role of the modern CISO has become heavily dependent on communication, and the ability to negotiate a mutually acceptable compromise. Without these skills, it is difficult to see how the modern CISO will succeed.

How to succeed as a CISO

The modern business is a complex relationship between information technology, marketing, finance, human resources, legal and other departments. The successful CISO’s role is not to simply protect IT against risk – it is to defend the work of all the departments, and the profitability of the entire business.

To achieve this, the CISO needs to shed his purely technological mantle and to develop new skills of communication, negotiation and willingness to compromise in order to succeed. Metaphorically, the CISO needs to emerge from behind his desk in a corner of the IT department and take or forge a place in the wider business. This is the successful CISO of the future.

Related: CISO Conversations: Intel, Cisco Security Chiefs Discuss Making of a Great CISO

Related: CISO Conversations: The Difference Between Securing Cities and Businesses

Related: CISO Conversations: Zoom, Thycotic CISOs Discuss the CISO Career Path

Related: CISO Conversations: Honda Aircraft, Bombardier CISOs Discuss Their Start in Security

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.