CISOs Must Be 'Bilingual': Speak IT & Business

Dan Gunderman

Mark Clancy

The Dec. 11 episode of “Task Force 7” Radio on VoiceAmerica ran the cyber security gamut – from a defense of practicing CISOs, to complicated research variables, to a company’s risk profile.

The program, hosted by information security executive and Task Force 7 Technologies President and CEO George Rettas, again broached the topic of the sweeping Uber hack, along with the startling skills gap present in the cyber security space.

To kick off the show, Rettas reviewed social media posts on the cyber security community’s response to the ousting of Uber’s former Chief Security Officer Joe Sullivan. The reaction, Rettas said, was largely warm and respectful of Sullivan’s time in the space.

“Someone like Joe Sullivan, who has had a storied career, has helped so many people, has devoted his life to battling the bad guys…he deserves the benefit of the doubt,” Rettas said. “(He deserves) the right not to be prematurely judged, especially by people who don’t have a clue what happened.”

The conversation then moved to an interview with Task Force Radio’s guest of the week, Mark Clancy, founder of Cyber Risk Research. Clancy has been in the information technology industry for 25 years, 15 of which have been dedicated to cyber security and technology risk management issues. Outside of his work for Cyber Risk, a consultancy organization, he was the CEO of Soltra, a software automation and services company, until November 2016. Clancy has testified before Congress on cyber security issues and has dedicated much of his time to financial services and critical infrastructure.

See Related: 'Tech Won't Run Itself': Analyzing Cyber Security's Talent Crisis

On the true role of today’s CISO, Clancy said, “It’s really about taking the dark arts of technology and how it’s exploited and translating that into what it means to a business… If you go and read any job description that’s posted, you’ll never see that, that’s not the words that are used in recruiting, but that’s actually what the job’s fundamentally about – taking that technology risk and translating it into a business context.”

Clancy explained that the CISO most definitely comes from two source backgrounds: business and management, and more of the technologist side, where candidates move into a leadership position. Clancy said that while the perspectives could be quite different, an effective CISO must be “bilingual” – meaning in IT and business language.

Upon being asked where CISOs “live” within an organization, Clancy said that it often depends on the maturity of an organization. In early enterprises, CISOs always live inside the technology arm. Eventually, he or she may shift into a “truly C-suite, executive” role, outside of strictly technology.

The Cyber Risk Research founder also outlined the “three lines of defense” for today’s practitioners: the operational function (guards on the wall), strategy/planning (tracing threats, knowing “crown jewels”) and review of hazards and threats. Clancy said CISOs typically live around that second line.

Tackling the cyber security talent crisis, Clancy opined, “A lot of companies want that ‘unicorn.’ They want that cryptographer diplomat who knows everything about technology and can speak eloquently about every topic. But that’s not what’s available on the market when they go looking.”

Often, organizations have a “mansion desire on a starter-home budget,” he said.

See Related: Cyber Feminist: Enterprise Security 'Needs More Diversity'

On potentially faulty compensation packages that some companies are putting together for top cyber talent, Clancy said, “Organizations realize they have to do something, but they don’t know what it is yet.” He said CISOs, unfortunately, may not be treated as executives. He called the perception “title inflating,” saying that some companies just don’t understand the risk environment that they live in.

On where CISOs should report, Clancy said they’ll typically begin within the IT banner, which is effective as the company grows, so the practitioners can attend to the fundamentals. Then, at a certain point, CISOs leave the IT organization and become absorbed into other functions. They could then be treated like any product-line member, or “just another log in the fire,” the guest said.

Nevertheless, Clancy added that in late-stage, mature organizations, some CISOs could report directly to the CEO.

“A CISO’s job is to make sure that the risks that exist…are pointed out to the organization, are understood, and are accepted or mitigated…” he suggested.

On whether they should be held accountable for mega-breaches, he continued, “If they’re not doing that…and something bad happened, they didn’t succeed at their job and should be terminated…”

To gauge whether termination is truly the right decision, Clancy said that organizations should first look at the root circumstances behind the incident. Was it a one-off? Were all systems unpatched or left unattended? There is a stark difference between pure negligence and a “bad day.”

One challenge Clancy outlined with regard to research was the “notoriety.” He said the “defense” side receives far less recognition than the (often) glorified “hacker.” He called it a sort of “branding problem” on that side of the equation. Additionally, the “Task Force 7” guest explained the “different neighborhood” challenge, meaning the gap between R&D (often academic) and commercial needs. While it’s a “radically different culture,” Clancy also said the “problem is getting slightly better” with different standardized methods and open communication.

Task Force 7 Radio

The “Task Force 7” Radio recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7" Radio, click here.