#cybersecurity | hacker | Is the CISO a second-class executive?

Why does it appear that the CISO is a second-class
executive? Are CISOs the victim of a business that “doesn’t get it”? Or is the
business a victim of CISOs that “don’t bring it”?

The plight of the CISO is well
documented. It can be a challenging and thankless role that is accompanied by
high stress and an equally high turnover rate.

CISOs often believe they are not given
a fair chance by business executives and are essentially obstructed from doing
their job. They frequently feel they don’t report to an appropriate or senior
enough executive, don’t have a prominent enough position at the board table,
are not given enough budget, and lack respect of C-Suite executives.

Why is this? Is it that business

  • Don’t care enough about
  • Don’t understand the scale of
    the problem?
  • Want a ‘checkbox’ for security?
  • Want to invest as little as
    they feel they can get away with?

The crux of this problem is the perceived
value return of security under the leadership of the CISO. Two key points
really undermine the CISOs perception:

  1. The CISO’s difficulty in
    convincing what ‘good looks like’ from a security investment, and security
    results perspective. Basically, is there a strongly correlated relationship
    between security investment, and risk/ impact control?
  2. The CISO’s difficultly in
    getting past reporting from a ‘technical and operational security’ perspective,
    rather than a robust and easy to understand risk and impact perspective.

Generally, you don’t get a seat at the
board table by just seeing a board level problem. You get a seat at the board
table by having a credible strategy and business plan to achieve board level
objectives and solve board level problems. Do CISOs today effectively bring a
board level security solution to the table? Or, how does a CISO’s ‘solution’
stack up against competing executives’ pitches for budget?

The argument that CISOs are ‘stuck’
reporting into the ‘wrong’ executive is a function of the perceived value they deliver.
Where you report often speaks to where the business believes you have the best
chance at having success. Business executives want to maximize success and minimize

What is the ‘right’ amount of security
investment? Most things in life (e.g. buying dinner, a vacation, or a house)
it’s easy to see the relationship between cost and expectation. This works with
most departments in business as well (e.g. R&D, marketing, sales, legal,
IT). There is a reasonably obvious connection between quality, quantity, pace,
and cost. Unfortunately, using conventional approaches a CISO has a challenge
linking what the business gets from an amount of investment. Is there a way for
a CISO to provide a plan, like the other department heads, to strongly link and
measure quality, quantity, and pace to achieve an agreed expectation of

The reality is that business
executives do:

  • Care about protecting vital
    business assets and interests. In fact, their personal brand is on the line as
    business executives are coming under direct fire in the aftermath of cyber
  • nderstand the scale of the
    problem, and they are terrified about it. In fact, they have little confidence
    that a public breach isn’t imminent, and they see the consequences.
  • Want credible cyber resilience options,
    but they aren’t receiving them from the CISO. This puts business executives in
    a bind and corners them into producing the most common tangible option as a CYA,
    which is usually compliance to a security framework. This is easily perceived by
    the CISO as only wanting a ‘checkbox for security’
  • Have a fiduciary duty to spend
    wisely. Executives are “damned if they do, and damned if they don’t” with investment
    in security. Because the CISO doesn’t bring credible security investment
    options, nor justified results, but the obvious need to protect business
    interests from security breach, they are caught in an opportunity-cost Catch-22.

If a CISO cannot pragmatically solve
board level security problems; if they cannot establish costs vs. agreed
expectation of results, and provide a credible business plan, then it seems to
follow that they are not punching at the Board level.

Because it is clear that security is a
board level problem, and the CISO is not bringing board level solutions, the
reasonable outcome is a tough life for the CISO and limited authority and scope.
Unfortunately, the trickle down is poor morale and hiring and retention
challenges which exacerbate the perception and execution problem of the CISO.

best thing Boards can do is manage cybersecurity risks as they would any other
business risk. To be effective, there must be a working relationship between business
executives and the CISO, where the CISO has aligned goals, strategy that drives
cyber resilience options, a business plan that gives leadership clear risk
appetite choices, and an implementation plan that delivers results.

Douglas Ferguson, Founder and CTO of Pharos Security

Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App



[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]


National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.