The Trials, Travail and Tribulations of Being a CISO: Part 1
Being a Chief Information Security Officer (CISO) or the equivalent is one of the toughest jobs one can have. I know well at least a dozen people who currently serve as CISOs, and I have consulted for and sometimes given free advice to many of them and others over the years, For three and a half years I served as the CISO of the company for which I worked before I came to Emagined Security. I’m thus well acquainted with the trials, travail and tribulations of CISOs’s jobs.
In theory, the CISO’s job should not be so dreadful. The many costly data security breaches that have occurred over the last half decade or so has the attention of senior management; it is only natural for them to turn to the CISO for answers and solutions. Additionally, the number of information security-related statutes and regulations has grown substantially in the same period of time. Again, senior management and compliance and legal functions within organizations have frequently sought guidance and leadership from the CISO in their quest to conform to compliance mandates. Furthermore, the ever increasing flood of intrusions into government and commercial computers originating from countries such as China and Russia show that cyberespionage is a very serious and real threat. Although CISOs do not have all the answers, they generally have enough to make a real difference in the fight against cyberespionage. The CISO, the head of the information security function; should thus be widely perceived as a “go to” person within an organization.
Theory and practice do not always converge, however. In reality, the majority of the CISOs I know have a great deal of responsibility, but little authority. In many ways, information security practices are widely viewed as sources of trouble within their organizations, and in some cases as the “business prevention” function. Why? The CISO so often comes in and dutifully starts creating and/or revising policies and standards that cause staff in other areas within an organization to have to deal with new barriers and constraints. Application programmers, for example, have a hard enough time just cranking out code within imposed deadlines. Soon new security standards require that code that is developed in-house must be must revoke privileges when routines that run as the superuser are exited, must not rely on environmental variables, must not allow shell escapes, and so forth. In the mind of the application programmer, the CISO has put the proverbial straw on the camel’s back. The same is likely to be true for system and network administrators, Webmasters, operations staff, and others.
In previous blog entries I have discussed what I believe are success factors in the CISO’s job. One of the most important of these is knowing the business that the information security function is supposed to serve. I’ve previously argued that getting an MBA is now better than earning an MS in computer science, engineering, or industrial technology. Unfortunately, despite many calls for information security professionals to get business training, many have not heeded these recommendations. Too often CISOs instead work within their own little silo in which posters displaying the major areas of ISO/IEC 27001 or security-related control objectives from COBIT are hung in hallways. It would be far better to come out of the silo, put on a business hat, and display the front page of the Wall Street Journal and the major business objectives for the organization.
One thing to keep in mind is that “every victim participates in his victimization.” This old saying does not mean that every victim completely causes his or her own victimization, but rather that victims (often through inappropriate behavior, such as giving up or not being situationally aware) often contribute to the process of their being victimized. This saying very much applies to CISOs. Highly successful CISOs succeed because they bridge the gap between an information security practice and the business they are supposed to serve. They also have strong interpersonal skills. The CISO’s job may not be fun, but effective CISOs at least take some of the negativity out of the job by creating less barriers, constraints, and reasons for interpersonal conflict.