Make the CSO Role a Board Appointment, or Don’t Bother Having One

I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cyber security more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.

Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:

Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CSO position;

Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;

Step 3: The CTO hires someone who ends up reporting directly to them.

Any one of these step by itself is a mistake, but all three combined will result in the CSO role being nothing more than smoke and mirrors, or an empty suit. Having a CSO in this scenario may look good on paper, but they will be utterly ineffectual.

Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CSO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.

The added benefit of having the BoD take such an active role in the CSO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CSOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CSO will already be familiar with the conversation in the other direction.

Per Step 3 – Having a CSO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has it’s limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CSO dotted-line into them gives the CSO the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open seat’ CSO will have a LOT to say.

In effect, the CSO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.

All that said, the CSO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CSOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.

As things currently exist, there are only 3 questions a good CSO can ask before joining an organisation:

  1. Can I talk to the CEO? – [If No, walk away.]
  2. To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
  3. Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]

Much like the CTO, a good CSO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.

[If you liked this article, please share! Want more like it, subscribe!]

Leave a Reply

Your email address will not be published. Required fields are marked *