DPO

Should a CSO/CISO Ever Be a DPO?

I finally figured out why this blog was so damned difficult [for me] to write; I’ve been thinking all wrong about what exactly a DPO actually is. Which is odd, because I had the exact same challenge when writing about CSO/CISOs, and I really should have learned from my mistake.

When you think about a CISO (assume this also means CSO), or a DPO, you instantly picture a person. Maybe your organisation already has one so their face springs to mind, or if not, you have a indistinct and faceless image of someone in a suit. The fact is, neither the CISO nor the DPO are people, they are functions. Multiple functions in fact.

And not only that, they involve multiple disciplines, skill-sets, even personal preferences. Most importantly, neither the CISO nor the DPO functions [performed correctly] are ever a single person. A DPO would, quite literally, have to be an expert in privacy law (both EU and national), contracts, risk management, policy development, distribution and audit, and understand all personal data flows throughout the business.

You therefore need to break the function down before you can move forward. For example; I broke the CISO function down into 3 distinct skill-sets/phases: Continue reading

CISO Hierarchy

To Whom Should the CISO Report?

I actually feel kinda silly writing this blog because the answer to the subject question seems so obvious. But even among seasoned cybersecurity professionals, the question of the CISO’s reporting structure has taken on a life of its own. I cannot imagine a more pointless debate.

But, for the sake of argument – and to keep this blog short – let’s assume there are only 2 types of ‘reporting’:

  1. To a direct line manager (Administrative Reporting); and
  2. To the recipients of the CISO’s functional output (Functional Reporting).

The most appropriate example for this – due to it’s many similarities – is Internal Audit (IA). I’ve never seen these folks administratively report to a manager who is not either the Chief Financial Officer (CFO) or the Chief Legal Officer (CLO)/General Counsel (GC). Nor would I ever expect to, as what they do is so well established that no-one questions their hierarchy.

Why is cybersecurity more complicated?

The very concept of IA dictates that their administrative management cannot influence their output in any way. I believe such conflict of interest actually goes against some regulations/legislations. Not only must they have this complete autonomy in the creation of their output, they must have total immunity from any backlash related to its content. Especially from their direct line managers, in whose hands the auditor’s career rests.

Same for the CISO.

For IA, the recipients of the functional output just happen to be their protectors as well; The Board of Directors (or CEO if the BoD does not exist). This ‘dotted-line’ reporting structure allows the auditor’s to report the whole truth to the ultimate decision makers without fear of retribution.

Same for the CISO.

So why is the CISO role so different? Does it really matter to whom they report administratively as long as they have both access to, and the protection of the BoD? Just like IA, the only thing a CISO should have to worry about is their own ability/competence to perform the function. And if, as I HIGHLY recommend, make the CISO role a Board appointment (or don’t bother having one), both the BoD and CISO are fully aware of each other’s responsibilities in this regard.

So if you accept that it’s really only the BoD dotted-line that matters, to whom should the CISO report administratively to help avoid the inevitable politics?

Common CISO Administrative Reporting Structures

  1. Direct to the CEO – This is the ideal of course, as you can usually assume that to have this hands-on approach the CEO takes security seriously. Seriously enough anyway. That said, in this configuration the BoD must take a more active role in order to ensure full CISO independence;
  2. To the CSO – A true CSO will generally have more than just data security as their remit, but CISO and CSO are very often used interchangeably. So depending on what the CSO actually does, this can be a good fit if s/he does not interfere with the CISO’s access to the BoD;
  3. To the CTO – To me this is almost the definition of conflict of interest, this never works even if the BoD dotted-line is in full effect;
  4. Any other member of the C-Level – At this point, the duties of the CISO are so far removed from the knowledge/skill-set of their manager that it almost doesn’t matter which one you choose. This will be ‘administrative-only’ reporting to the nth degree. But as long as the CISO’s relationship with the BoD is healthy, this should not detract from the CISO’s ability to get the job done; and/or
  5. Below C-Level – If the CISO role is more than 2 layers beneath the CEO, don’t bother having one, it’s clear neither the CEO or the BoD gives a damn.

Frankly, the CISO’s reporting structure is irrelevant if you haven’t chosen the right CISO for the right reasons. And AS a CISO, if you had no input to your reporting structure why did you take the job in the first place?

I am reminded of the eternal classic “The Hitchhiker’s Guide to the Galaxy” by Douglas Adams:

“Forty-two!” yelled Loonquawl. “Is that all you’ve got to show for seven and a half million years’ work?”

“I checked it very thoroughly,” said the computer, “and that quite definitely is the answer. I think the problem, to be quite honest with you, is that you’ve never actually known what the question is.”

[If you liked this article, please share! Want more like it, subscribe!]

CISO Sacrifice

How to Hire a CISO

In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.

I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.

However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:

  1. An organisation hires the exact right person for their cybersecurity needs; and/or
    o
  2. A prospective CISO asks all the right questions and gets the right job for them.

By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.

Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone  who can fully detail the things you need. You’d be amazed how often these things are very different.

Steps to Hiring the Perfect CISO

But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.

Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.

Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.

Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.

Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.

Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:

  • drafting Governance charters and policy sets;
  • standardising and performing initial risk assessments;
  • controls gap analysis;
  • developing business impact analyses (BIA);
  • defining a basic set of minimum security controls; and
  • chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).

[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]

Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:

  • matching Policy Set with both business goals and the prevailing corporate culture;
  • socialisation and distribution of procedure and standard document coordination to relevant SMEs;
  • integration and centralisation of security control output into a unified incident response capability;
  • assignment and formalisation of all security responsibilities; and
  • implementation of disaster recovery (DR) and business continuity planning (BCP).

[Once Phase 2 tasking is roughly 75% complete, Phase 2 can begin. the e-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]

Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:

  • performing an objective review of all security controls including policies (with Internal Audit if available);
  • maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
  • formalise management information and security/risk metrics into a BoD-level reporting process; and
  • implement a cyclical program for continuous improvement.

Sample Phased Approach

That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.

For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.

In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.

If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

The Types of CISO

The 3 Types of CISO: Know Which You Need

In “What’s the CEO Equivalent of The Peter Principle?” I posited that there are 3 kinds of CEO:

  1. Those good at starting a company;
  2. Those good at building start-ups to the point they can go public, or be acquired; and
  3. Those good at leading a company for the long-haul.

…with the theory being that unless the CEO knows which s/he is, s/he’ll eventually run a company into the ground. No CEO is really good at more than one, and I’ve met too many who aren’t good at any of them.

The CISO role is no different, and if you’re looking for one, you had better ask the right questions of your candidates. However, if you are a CISO or want to be one, then you must know which kind you are or you’re setting yourself up for failure.

What Are The 3 Types of CISO?

o

  1. The Planner: – The p-CISO comes in at the beginning of an engagement, before an organisation even knows what it actually needs. Their job is to design a security program that does the only thing it’s supposed to; support / enable the company’s business goals. The p-CISO must also write the Governance Charter, get the CEO to sign it, then implement the Governance Committee. 99% of all security programs fail at this stage, so this is perhaps the most difficult task of all.
    o
    Of the 3 types, this is the most creative, but also the least detailed oriented, which is why they probably should not try to run the program long-term.
    o
  2. The Executor: e-CISOs get things done. They take the hand-off from the p-CISO and put the agreed plan into action. While this may seem more like project management, there is a lot more to it than that. Putting a security program in place takes a shift in an organisation’s entire culture. Installing a firewall is easy, getting the CEO to accept full accountability for the ISMS is a Herculean task.
    o
    This type has the rare ability to focus on enormous amounts of detail, but is political enough to bring the people components together.
    o
  3. The Optimiser: o-CISOs are in it for the long-haul. These are the folks that take the still raw security program, and make sure it get fully instilled in the company culture and business as usual processes. They will also likely Chair or Co-Chair the Governance committee.
    o
    The most political of the 3 types, and it is the o-CISO’s incredibly difficult task to ensure that IT, IT Security, AND the business side all do their part. The depth and breadth of the position makes it one of the most difficult jobs imaginable.

Ignorance of these 3 types certainly goes a long way to explain why CISOs last less than 2 years on average. Organisations ask the wrong questions, and prospective CISOs have little concept of their own limitations.

I’m not saying that there is no overlap in these roles, there is. I’m also not saying that a single individual can’t be fairly good at more than one, they can. What I am saying is that, in practice, the skill-set required to be REALLY good at these roles is mutually exclusive. e.g. I have never met someone who thrives on creating something from scratch (p-CISO), have any interest whatsoever in baby-sitting something for the long-haul (o-CISO).

And that’s OK, you don’t just have one kind of doctor, or lawyer, why should a CISO be any different?

Unfortunately, too often the CISO role is seen as the ultimate goal in the career of a cybersecurity expert. But the fact remains that this role suits very few people long-term. Both p- and eCISOs are senior level consultants, only the o-CISO is a long-term employee.

And let’s not forget; Make the CSO Role a Board Appointment, or Don’t Bother Having One, the CISO is no different.

I’d be very interested to hear what actual CISOs think of this theory?

[If you liked this article, please share! Want more like it, subscribe!]