The CISO is a precarious job. Research studies indicate that CISOs typically survive just 18 months to two years in a job which is increasingly complex and multi-skilled.
After all, information security is no longer solely about managing firewalls and patch management, but rather a varied role encompassing business and technical skills. Add into that continual issues around funding, reporting lines, governance and a lack of support from the board and you can see why the role is not to be taken lightly.
Indeed, Deloitte says that the CISO today must have four ‘faces’; the strategist, the adviser, the guardian (protecting business assets by understanding the threat landscape and maintaining security programs) and the technologist.
[ MORE ON CSO: ‘Vendor overload’ adds to CISO burnout ]
The consultancy found that CISOs on average spend 77 percent of their time as “technologists” and “guardians” on technical aspects of their positions, although they would like to reduce this to 35 percent – a sign of the times perhaps.
Gary Hayslip, CISO of the city of San Diego, detailed on LinkedIn just how varied the role now is.
“The position as CISO is not for the faint of heart, it requires knowledge of disparate security technologies, risk management frameworks, as well as network and security architectures,” he said, adding that an understanding of federal and state law, as well as compliance and in developing security strategies, is also required.
Forcepoint Deputy CISO Neil Thacker told CSO that the five main challenges for today’s CISOs are managing risk, communicating with major stakeholders, managing security operations, ensuring data protection and guarding against the insider threat.
“Many of these challenges can be overcome by working with the organization and not for the organization.
“CISOs need to find the right balance of when and where they can delegate responsibility or when they need to manage this responsibility directly. As the size of the organization increases, the responsibilities must be shared and each department will need to own more of the organization risk and communicate regularly with the CISO. The CISO should also ensure each department receives the right education tailored for their needs and ensure risk and security metrics are shared pervasively across the organization.
Matt Palmer, CISO at insurance broker Willis Towers Watson, says that often the biggest challenge is for security heads to look at how they can improve security operations.
Matt Palmer, CISO at insurance broker Willis Towers Watson
“The top challenge is often overlooked - it’s the ability to look forward,” he said.
“Most of the time in a large organization you will be spending your time with issues that are either historical or immediate, they require operational or tactical decisions rather than strategic. Yet, the world is changing so fast that you have to be ruthlessly strategic. When you try to do so, visibility is limited and the future often foggy. Finding that clarity and aligning strategic and operational priorities in the best interest of all stakeholders is the challenge we face.”
Yet he adds that there are other pertinent issues, from educating, informing and managing expectations of senior stakeholders to improving security processes.
“As a CISO you need to find ways to rationalize and simplify what you are trying to deliver, and make sure the team stays on message.”
What makes a successful CISO?
How can you be successful in a post where security incidents and management feuds can result in losing your job? Thacker believes it’s all about integrating yourself in the business.
“A successful CISO is the person who is approachable and can help make educated decisions before, during and post incident. They will have a good knowledge of the organization and understand the inner workings from business process through to data processing whilst utilizing their knowledge and intel from the threat and risk landscapes to position their team to be most effective when an incident arises.”
Palmer, however, believes that you should never believe yourself to be successful.
“I have yet to meet any CISO who thinks they have been successful, we are all too aware of the scale of the challenge and that the job is never done. If you are one step ahead today, you are one step behind tomorrow.”
Nonetheless, he adds that “you are part of the way there” if you understand the defined objectives of the business, improve controls “faster than the bad guys”, improve the security team while maintaining stakeholder support.
Dealing with management
One question that continues to abound, even now, is how CISOs work with senior management. In my recent piece, it was suggested that sacked CISOs often fall down on articulating the security problems – and solutions – to senior management. And experts say that board understanding and security budgets are invariably linked.
“Boards and non-execs today often set a high standard, but very few have security expertise or seek external advice to challenge their internal security team effectively,” says Palmer, adding CISOs should always look to use their budget wisely, and utilize existing technology resources where possible.
“A CISO rarely has adequate resources or budget to deal with the challenges therefore their strategy is critical to ensure they maximize the available resource,” said Thacker. “The identification of the most critical assets of the organization should be performed regularly and resources assigned to protect these assets.
“Most management teams will see value in meaningful measurements using a risk-based approach. Support or trust comes with an open and honest discussion whilst explaining the impact to the organization if the risks are not mitigated to an acceptable level.
If the worst happens, you’ll bounce back
As we explored recently, sacked CISOs are surprisingly hard to hear of, with most let go on “agreeable” terms in order to protect the public image of the company.
Yet CISOs do bounce back - even after multiple firings, illustrating the demand for these professionals.
One CISO was reemployed a month after his first dismissal, and six months after his second. To illustrate the point that good security chiefs are hard to find, he picked up a ‘CISO of the year’ award at a well-known awards ceremony during this time.
This is by no means unique. After its data breach last year, TalkTalk allegedly fired two of its senior security staff, both of whom now hold similar positions at high-profile financial services companies.
Experts say that CISOs looking to improve in their roles and further their career should network with peers to learn more, upskill where possible, and to hire good people around them.
In a recent piece for CSO, Tom Bell suggests finding a mentor, learning how the business works (including every department), working closely with the CIO, and not being afraid of asking for help. Palmer agrees, but goes further.
“The best career development for me is to do what I do better. Security practitioners should never stop learning. Find team members who are better than you or develop them until they are better than you. Make sure they have good challenges and be open to debate to so they will challenge you and make you better. Keep finding better ways to listen and communicate. Doing things outside work helps too.
“Anything that helps give you a broader perspective on life is good, particularly if it involves looking at security differently, solving complex problems, communication skills, or making organizations work.”
Thacker adds: “Work with your CISO peers. The industry is thriving with people who have experience and are willing to help others. Communities exist where discussions on good security strategy and both wins and fails can be shared.
“A successful CISO will be involved in these communities and not only should offer advice and become a mentor, they will also learn from others such is the vast, varied challenge information security offers.”