In the first part of this blog, I looked at strategies and how the CISO finds themselves in the most enviable and demanding position in 2018.
Next, the CISO must drive change in the team they surround themselves with and businesses must play their part supporting and elevating the CISO role.
CISOs should spread the “burden”
While CISOs are ultimately responsible for a business’s information security, it doesn’t mean they must walk the path alone. Said plainly, too often the CISO becomes a choke point, instead of be a great delegator.
The IT security industry is a volatile and unpredictable environment, so spreading the burden can go a long way to alleviating the pressures of a program or a single individual; however, the greater benefit is that a burden can be translated into opportunity for others.
By surrounding themselves with experienced, reliable lieutenants, CISOs can divide and conquer the vast array of responsibilities that are now part of the role, leaving them to work primarily on influencing the business and mentoring and building the security team.
The team may include specialists to head up compliance requirements, media and communications experts specifically for security communications, and technical development and incident response planning experts. Crucially, these lieutenants must all be empowered to conduct their roles without being undermined, especially by the CISO. They will require on-going mentorship and coaching from the CISO in order to operate as effectively as possible.
Businesses should equip CISOs with the skills they need
The well-documented global shortage of cyber security experts means demand for competent, experienced CISOs far outstrips supply, leaving many businesses scrambling to fill vacant positions with the best candidates they can find. The result is that many CISOs out there today aren’t always equipped with the necessary skills to do the job properly.
When placed in the pressure cooker environment that most CISOs must operate in, the outcome is all too predictable: high turnover, low morale and ineffective security programs.
Unfortunately, there’s no quick solution to the global shortage of security personnel, which means businesses must instead focus on investing in the best training and coaching they can to equip CISOs with the skills and knowledge needed to hit the ground running.
You never want to make introductions during a crisis, but the right coaching can cure this. Businesses should consider putting in place a job-shadowing track for the CISO and his/her direct reports. Some of the most impressive CISOs I’ve met can easily explain how their business makes money.
Businesses must elevate the CISO position
The future CISO should be evaluated on the degree to which they influence the direction and investment of their company. This influence is a combined product of the observations, risks, incidents, and understanding of the business – it cannot be filtered through another lens or merely receive a single bullet in a leadership team presentation.
The role of the CISO is often perceived as just another tactical IT role, rather than a strategic business one. As a result, CISOs are often denied a seat at the ‘big’ table and instead made subordinate to the CIO or CTO. The problem with this is that there can actually often be conflicts of interest between CIO/CTO and CISO job roles.
Much of the success of a CISO (the security of an organization) depends on the behavior of the staff that report to the CIO or CTO. Security is not just a technical problem anymore and because of this, businesses need to explore more unique and appropriate reporting structures. For example, by placing equal responsibility on the CIO and CISO, or asking the CISO to report to the CEO with a dotted line to the board.
Time of reckoning…
Gone are the days when IT security was little more than a back-office function requiring minimal investment. Today, it is big business and in most cases, big expense.
Many look at CISOs as the one-stop solution to all their IT security woes, but in reality it just isn’t that simple. They require an empowered team around them and the knowledge and skills needed to make the right decisions when it matters; this requires exposure and proper station within the business. The high-pressure environment in which they are required to operate isn’t for the faint hearted, but with the right support network and backing, they can make a big difference.
Stephen Moore will be speaking in the session "CISO's Getting Fired - The Future of Breach Accountability" in the Infosecurity Magazine Virtual Conference on 20th and 21st March. Register here.