The role of a chief information security officer (CISO) can never be categorized as low-stress. After all, the responsibility for safeguarding all that corporate, customer and employee data, along with intellectual property, is so vast and the pressure so immense that many decide (or are asked) to walk away within just two years of accepting the job. Further, considering that cyberthreats are a continually evolving phenomenon, CISOs are likely to feel as though their entire role is a moving target.
Conversely, we can imagine that any person willing to undertake this role is likely someone with great knowledge and vision, and also a clear strategist with confidence and fortitude to withstand scrutiny—especially if, or when, the unthinkable happens on their watch. CISOs are not risk-averse people.
So, when it comes to an executive who needs to prepare for the worst and hope for the best, do you ever stop and wonder if a CISO can be caught by surprise in their jobs? Can there be any true shocks when you’re tasked with managing a corporate security strategy, or is that an indication you’re not cut out for the job? The fact is, even if a CISO is prepared for a cyberattack, there are aspects of this job that can be unexpected.
As a leader who has lived through the impact and aftermath of a massive corporate data breach at a Fortune 30 company and helped others with similar problems, I’m sharing the things that I still find surprising in this role and the things I’ve learned are critical to anyone who steps into these shoes.
Failure to Align the Management Team
Any CISO joining a new company will want to solicit open and honest conversations with executive management about the opportunities of their role, and what the hopes for their tenure as CISO are. These conversations are best had before any threats or security failures are involved. It’s vital that all parties are clear on vision and in alignment regarding expectations. If a CISO has only a limited window of time to resolve a set of security problems, those parameters must be well-defined and the executives who are fortunate to avoid any consequences of a CISO’s failure must have the same goals. Also, remember: Never be in a position to deliver bad news as a stranger. Get the visibility.
The Absence of C-Suite Support and Visibility
When staffing a CISO, companies must be direct and open about the anticipated support the CISO office is likely to receive, as well as visibility into policies and budgets. This includes being frank about any friction associated with enterprise change. It’s also critical for a CISO to understand the organization’s reporting structure and determine whether the entity the position reports into—IT or the executive leadership team—is a clue for how a company regards security.
British intellectual Sir Leslie Stephen once said, “A chain is no stronger than its weakest link,” and his wisdom is a good fit here. Without appropriate support, the CISO’s role is tenuous at best. Worst case, you are complicit in the creation of an ineffective and mediocre security cost center. I see it often. Remember that budget doesn’t equal cooperation, but cooperation is required for positive results.
Breakdown in Swift and Decisive Response
The CISO must prepare the company’s security posture to be as fast as an adversary is likely to act; otherwise, the executive team must acknowledge that the adverse effects of a security failure are acceptable. That sounds hard to believe, but the theme of this essay is the unexpected, isn’t it? There are some realities to consider. For example:
- Filling security gaps could take a year to deploy and configure, and an endless supply of budget won’t buy cooperation. Support for preparation must come from outside of IT and from top-down in the organization; otherwise, it’s just an “expense” and not a culture.
- Relevant incident response will require immediate action against an adversary who likely is already inside. CISOs understand that corrective action will require operational disruptions. All involved should be empowered to share this freely, to enforce credibility when tough decisions must be made.
- Absent the above, emphasis should be placed on monitoring and response rather than on preventative actions. Prevention comes from good organizational decisions, while monitoring and response come from great culture and capabilities. The lessons learned and observations must be documented outside of information security and failures tracked accordingly.
It’s clear that, despite the increase in cyberthreats or the advancements in technology and known security practices, CISOs can still be taken by surprise or undermined in their role to protect an organization. The savviest CISOs will work diligently on improving their leadership skills and understand their critical role in developing and enforcing a company’s culture, as it relates to security policies. An effective CISO will also be extraordinarily attentive and knowledgeable on emerging trends—or have a lieutenant to fill this position, and will advocate appropriately for the budget needed to implement security measures that protect newer, disruptive technologies. These choices cannot be made in a vacuum of experience; the old “best practices” must be questioned. In other words, a CISO must be empowered to evolve along with an organization and be regarded as a strong risk leader, the resilient first line of your company’s defenses against cyberthreats.