CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

Make the CSO Role a Board Appointment, or Don’t Bother Having One

I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cyber security more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.

Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:

Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CSO position;

Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;

Step 3: The CTO hires someone who ends up reporting directly to them.

Any one of these step by itself is a mistake, but all three combined will result in the CSO role being nothing more than smoke and mirrors, or an empty suit. Having a CSO in this scenario may look good on paper, but they will be utterly ineffectual.

Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CSO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.

The added benefit of having the BoD take such an active role in the CSO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CSOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CSO will already be familiar with the conversation in the other direction.

Per Step 3 – Having a CSO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has it’s limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CSO dotted-line into them gives the CSO the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open seat’ CSO will have a LOT to say.

In effect, the CSO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.

All that said, the CSO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CSOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.

As things currently exist, there are only 3 questions a good CSO can ask before joining an organisation:

  1. Can I talk to the CEO? – [If No, walk away.]
  2. To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
  3. Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]

Much like the CTO, a good CSO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.

[If you liked this article, please share! Want more like it, subscribe!]