I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cybersecurity more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.
Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:
Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CISO position;
Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;
Step 3: The CTO hires someone who ends up reporting directly to them.
Any one of these step by itself is a mistake, but all three combined will result in the CISO role being nothing more than smoke and mirrors, or an empty suit. Having a CISO in this scenario may look good on paper, but they will be utterly ineffectual.
Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CISO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.
The added benefit of having the BoD take such an active role in the CISO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CISOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CISO will already be familiar with the conversation in the other direction.
Per Step 3 – Having a CISO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has its limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CISO dotted-line into them gives them the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open-seat’ CISO will have a LOT to say.
In effect, the CISO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.
All that said, the CISO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CISOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.
As things currently exist, there are only 3 questions a good CISO can ask before joining an organisation:
- Can I talk to the CEO? – [If No, walk away.]
- To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
- Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]
Much like the CTO, a good CISO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.
[If you liked this article, please share! Want more like it, subscribe!]