Is “Fall Guy” Part Of The Enterprise CISO Job Description?
Security Leaders Concerned Over Equality And Accountability
The enterprise security mandate is clear: Protect the systems, data and personnel from cyber threats. The role of the security leader also encompasses protecting the organization’s brand.
Studies have quantified the cost of a data incident; however, the impact to image, reputation and trust are long-lasting and are difficult to express beyond a risk statement. What is the security leader responsible for and what is the security leader held accountable for when something goes wrong?
Breaking Down The Enterprise Security Challenges
The role of enterprise security leader is stressful. It requires keeping up with the security needs of new IT initiatives. New projects require risk assessment and identifying the right team skills to apply. The IT skills shortage is evident in enterprise cyber security and continues to apply pressure on resource-strapped teams. In some cases, outsourcing may be the only option.
Department-led IT initiatives may be initiated without any security oversight, leading to the term Shadow IT. A security team that is responding after-the-fact to business projects being “stood up” will find it difficult to enforce its security posture uniformly across the organization.
Generating awareness with end-users in support of basic cyber hygiene should be an on-going process that involves every part of the organization. Annual cyber compliance training and all forms of “policing” cyber policies creates friction with end-users. Some organizations are even prioritizing basic cyber hygiene alongside strategic security initiatives.
Add on to these requirements the need to effectively communicate cyber risk to business stakeholders and keeping up with the growing workload, the modern security leader has led to behaviors where many are unable to “detach” from work, fear taking time off and operate in an environment where they believe their time is limited.
Is “Fall Guy” Part Of The Job Description?
When something goes wrong, the CISO can be held to a higher standard than their counterparts. If the sales team misses a quarter goal, does the leader get let go? This reality demonstrates the criticality of the security leader and at the same time begs the question, “is this fair?”
In a Task Force 7 Radio podcast, host George Rettas and CNBC cybersecurity reporter Kate Fazzini discussed both the internal and public scrutiny that large enterprise CISOs are having placed upon them. “We're all going to have a bad day,” said Rettas. “I don't know a single breach incident that didn't involve a great deal of internal strife,” added Fazzini.
The conversation peaked between Rettas and Fazzini when they reached a painful truth. The CISO is “trying to secure a very imperfect infrastructure and network,” said Rettas. “Do you think these CISOs are being used as sort of the fall guy here?”
“I think they're definitely being used as a fall guy,” remarked Fazzini. “There's no CISO who's not going to have a breach” at some point.
Many security leaders have turned to humor to manage this stress. During RSA, one CISO asked if I had heard what the acronym CISO now stood for? “Chief Initial Sacrifice Officer,” he quipped.
Fazzini further noted how Equifax not only replaced the CISO, but also changed out the roles of CEO, CIO and many others in the wake of its data incident. The new CISO not only had large enterprise security experience but was known for an ability to speak the language of the CEO and the board of directors.
This observation supports a need to reexamine the definition of CISO and appreciate that it may have multiple personas.
See Related: 5 Most Stressful Aspects Of Cyber Security
CISO Personas: Strategic And Tactical
Churn for the CISO role is relatively high. A November 2019 study by Nominet of 800 U.K. and U.S. CISOs found the average lifecycle is now only 26 months. Job-induced stress impacted everything from relationships to the mental health of CISOs. The worst case would be careers cut short due to burnout.
This realization for Cyber Security Hub led us to change our approach to questions and on-going conversations. With stress and anxiety increasing across the field of practitioners, perhaps the definition of a CISO is evolving and should not be viewed as a singular purpose.
As enterprises continue to expand and digitalize, we are observing a market dynamic where CISOs are aligning with one of two approaches (or personas) – Strategic or Tactical.
- The Tactical CISO leads with an understanding of the technologies, tools and processes (in the people-process-information-technology spectrum). Organizations need to “stand up” a security program quickly and this CISO persona is adept at putting the policies and regiment in place. As security requirements have expanded, the Tactical CISO has also become the “dumping ground” for additional responsibilities, which may or may not align with the skillset of this persona.
- The Strategic CISO leads with an ability to relate the security imperative to the objectives of the business (more of the “people” and “information” aspects of the people-process-information-technology spectrum). The relationships established with other stakeholders in the organization enable this CISO persona to assess the overall risk posture of the business and its functional areas.
As an organization grows, the trend is increasingly towards more strategic opportunities. The technical requirement does not diminish; however, the future demand is not as great.
Neither CISO persona excuses the need for continuous learning. Whether there is an opportunity to acquire more technical or business knowledge, organizations want security leaders that can grow with the company.
Creating Awareness For The Modern CISO
An open discussion is necessary to overcome the current behavior between organizations and security leaders. The needs of each organization are unique. Understanding the maturity of an organization’s security program and what is necessary to further that security posture is essential. The alignment of the CISO and the organization is not a cookie-cutter process and requires effort from both parties to ensure everyone’s success.
See Related: Six Traits Of Successful Enterprise CISOs