Can Governance Replace the CISO?

Perform research on IT Governance models and you’ll eventually come across the concept of People, Process, & Technology (The Golden Triangle). Yet another concept whose origination has been lost in time (it was not Bruce Schneirer), but one whose evolution has polarised the security industry.

On the one side you have the technology-first advocates. Even a security icon like Bruce Schneier says; “We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.“. Oddly enough you’ll find most of the security product vendors in this camp too. I know, weird huh?

Then you have the side that I’m on, that says all the technology in the world can’t fix stupid. The enormous benefits that can be derived from technology are only achievable if the people put the processes in place to make the technologies effective.

In cybersecurity, technology can only enhance, it cannot fix.

Yes, of course technology is critical, why do you think I rage against PCI’s ‘daily review’ of logfiles so much? No, I do not believe that an organisation can ever achieve good security without the automation that only technology can bring, but putting technology first is the definitive cart before the horse.

In cybersecurity, technology can only enhance something that already works, it cannot replace it entirely.

So, to me, the job of the CISO is to get the three aspect of the golden triangle into line with the only things that matters; the business goals. In the digital age, technology is the ultimate enabler, and the CSO/CISOs the ultimate facilitators of that technology. The IT security function gets involved in everything from M&A to compliance, from incident response to internal audit, it’s the CISO’s role to bring it all together into a sustainable program. One that that is only ever appropriate to the business’s needs and no more.

But none of this is possible without Governance. The CISO, as a facilitator, is only a bridge between the business goals and the means to get there. It’s the Governance function that gets the job done.

Also, not every organisation can afford a CISO, and frankly nor should they even contemplate one if there is no discernible return on investment. This is where the Virtual CISO can come into play, and from my perspective, the only reason to consider one. It’s the v-CISO’s job to train the governance committee (or whatever it’s called) to do what CISOs do.

Too many organisations are instantly turned off by the word ‘Governance’. At best it’s seen as unnecessary bureaucracy, at worst it’s perceived as some kind of dystopian ‘Big Brother’. Nothing could be further from the truth; it’s not a department, it’s not an institution, it’s a function, one designed to help keep a business IN business.

EVERY organisation needs governance, regardless of size, region, or industry sector. The governance charter, membership, responsibilities, and operation will vary considerably, but all need to be appropriate, and of measurable benefit.

Only someone with the skill-set of a true CISO can put this in place in such a way as to be sustainable without them. But only a Governance function can keep it going.

[If you liked this article, please share! Want more like it, subscribe!]


Make the CISO Role a Board Appointment, or Don’t Bother Having One

I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cybersecurity more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.

Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:

Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CISO position;

Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;

Step 3: The CTO hires someone who ends up reporting directly to them.

Any one of these step by itself is a mistake, but all three combined will result in the CISO role being nothing more than smoke and mirrors, or an empty suit. Having a CISO in this scenario may look good on paper, but they will be utterly ineffectual.

Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CISO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.

The added benefit of having the BoD take such an active role in the CISO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CISOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CISO will already be familiar with the conversation in the other direction.

Per Step 3 – Having a CISO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has its limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CISO dotted-line into them gives them the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open-seat’ CISO will have a LOT to say.

In effect, the CISO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.

All that said, the CISO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CISOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.

As things currently exist, there are only 3 questions a good CISO can ask before joining an organisation:

  1. Can I talk to the CEO? – [If No, walk away.]
  2. To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
  3. Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]

Much like the CTO, a good CISO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.

[If you liked this article, please share! Want more like it, subscribe!]


So You’re a CISO? How’s That Working Out for You?

For security professionals, the role of Chief Information Security Officer (CISO) is often seen as the ultimate career objective. The pinnacle job after years of paying your dues in what is still a fairly rarefied industry sector.

And it should be, if that’s what you actually want. I can think of no other position outside of the CEO who should have a better grasp on how a business functions than a CISO doing their job well. In fact, while the CEO has the overarching strategy and direction in their remit, it’s the CISO who knows where the information needed to make the right decisions is.

If you accept that data in context is information, information in context is knowledge, and knowledge correctly applied is what makes organisations successful, then; a) Confidentiality of the base data is critical, b) if the data is safe, Integrity can be more reasonably assured and the resulting information is above all things, accurate, and c) the application of the information must be unhindered, suggesting that Availability of the data is the final piece of the puzzle.

You’ve all heard of C.I.A. in security, right? As far as I’m concerned it’s the CISO who is the guardian of it.

In a perfect world.

Unfortunately, far more prevalent is that the Board decides that a CISO is needed from an appearances perspectives – perhaps due to some regulatory pressures – and the person hired has no real authority, no understanding of the overarching corporate strategy, and probably reports into the CTO or someone equally unsuitable.

It’s a shame really, because a good CISO will have unparalleled input into the following:

  1.  The Security Program – From Risk Assessment all the way to Business Continuity Planning the CISO must be aware of every process related to the security life-cycle of the data under their care. Even the CTO won’t have their fingers in this many pies.
  2. Asset Management – There is nothing in security that can be performed outside of robust and comprehensive asset management. This will be the CISO’s primary focus until it’s where it needs to be.
  3. Mapping of Business Processes – If you don’t know how something works you can neither protect it nor fix it if it breaks. Business processes are the ultimate application of corporate knowledge and the CISO cannot do their job properly until they are all mapped, and preferably optimised.
  4. Success Measurement – As Peter Drucker is so often mis-quoted as saying; “You can’t manage what you can’t measure.” In security, unless the CISO can determine which security controls are working and which are not, appropriate security will be impossible. As will staying within budget.
  5. Regulatory Compliance – I cannot think of one regulatory compliance regime that does not have data at its core, so who better to report compliance status than the person who knows where it all is, and the controls around it?
  6.  Change Control – In theory, if nothing can change on the inside without robust oversight, the only increase in risk to data assets will be from the changes to the external threat landscape. Which segues perfectly to;
  7. Vulnerability Management – With asset management and business processes as their primary focus, who is better placed to feed into the vulnerability management process to help prioritise ongoing remediation efforts?
  8. Business Transformation – In the 2000’s, competitive advantages last weeks, not years. No-one is better placed to help a business transform itself than the person who knows where everything is, and everyONE who manages it.

Prospective CISOs may go into their new job thinking they will get to do all of the above, and the CEO who hires them may think that’s what they’re getting.

Too often neither side asks the right questions, and the CISO role ends up an empty suit.

[If you liked this article, please share! Want more like it, subscribe!]