This question isn’t new. In fact in almost all of the interviews I have attended, this question always pops up somehow (besides how much lesser can you earn while doing a lot more!).
Everyone’s going to hate my answer, but here it is.
Yes, yes it does. Sad but true. But lets look further to understand why.
There are few factors that depends on where the CISO will focus his/her attention on. Firstly, expectation of senior management and Board, and the latter being the maturity of the organisation.
An organization just hired a CISO. They had a small security team (essentially IT staffs told to take up the responsibility of security). Team was an organised mess, processes had been established but focused on operational matters rather than security focus (i.e. managing firewall ruleset for projects and deployment. Team’s security competence is medium, as they understood IT operations, but not the nuances of cyber security. CEO finds the team ineffective and has low confidence, hence onboarded a CISO to relook at the team and “make it better”. The team had a lot of questions and needed answers even to fundamental issues of understanding how NAT works. There are a lot of gaps on what the team is doing and there was no afterthought as the team was built out of urgency, and not proper planning.
In this instance, it is important for the CISO to be technically inclined. Focus of the CISO will be towards gearing the team up. CISO will be looked at the “subject matter expert” and be a reference point for the team to move forward. You’re a technical CISO more than anything else.
An organization has a fully functional Cyber Security team. The team has sufficient (not the best) competence, and understands the nuances of Cyber Security and knows what needs to be done. Their attention is divided between operational work vs compliance/governance. The team reports to the Operations head.
You are hired to be under the Chief Risk Officer, acting as the head of Technology & Cyber Risk. You’re given the title of CISO, being accountable in ensuring the organization stays cyber secure. Your focus is in managing risks more than dipping your feet into technical matters (though you are required to bring to Board’s attention and explain the technical details). Your role acts as the second line of defense, keeping tabs on the security team and making sure they stay on top of their game. What’s interesting, while you are CISO, the budget for security operations is separate and you don’t get to dictate how they spend it or where they put priority?
Interesting question – Can CISO be effective being a completely separate/independent second line of defense? (We answer this question on an upcoming CISO series article)
In this case, as CISO, your focus is more risk oriented. You need to translate cyber happenings into business speak and show it in dollars and sense (intentional). Your participation in management forums and board committee becomes a focus. You act as force and counter-force to the existing security operations.
You enter a fully mature organisation. Security operations and risk is well managed and has metrics for constant improvement. From a maturity model, your teams often inhibit level 4 for most of the processes. Your teams are well equipped and has respective subject matter experts guiding the team.
As a CISO, you turn your focus into business. Your question on your wall “How does Cyber Security add value to business? How can Cyber Security be the differentiating factor that affects your revenue positively?” You look at making Cyber Security a business positive aspect, building aspect of security and trustworthy as a differentiating factor that gains more customer and revenue.
What organizations want
Most organizations, if asked would straight go for Scenario 3, while in reality some often remains in Scenario 1. The details may change, but the situation remains similar.
Are the 3 scenarios mutually exclusive? Of course not. The scenarios highlight the dominant role of the CISO (in another word, where the CISO will spend most of his time). Eventually as time goes by, the gap in the organization will force the CISO to take up that responsibility. Having a mismatch of expectation will set the CISO up to fail. Senior management expects value, while there’s fire burning in operations. CISO is left with the task to be the bearer of bad news and in any instance, is ultimately responsible in ensuring that senior management is up to speed with the happenings in the ground.
For example, in Scenario 1, there are barely staff to handle all of the operational roles. But being in a highlight regulated industry, the expectation is to have compliance/governance/audit to be tip top. The CEO was visibly upset with the CISO when there are constant audit issues, and its up to the CISO to communicate that the team is simply not sized for compliance/audit activities. CISO’s focus will be putting out immediate fires at operational level.
This brings us to another interesting question – who does the CISO fear more? Auditor or Threat actor? (We cover this on the next CISO Series article).
Fellow CISOs – is there any particular topics you want to see discussed? Bring it on!