The Trials, Travail and Tribulations of Being a CISO: Part 4
I’ve been writing about the downsides of being a CISO, and I cannot close this series without discussing yet another significant downside–being expected to accomplish far too much with way too little resources. Nothing details all the possible roles that a CISO possibly must take on like ISACA’s CISM Exam Preparation Manual. Consider the following roles mentioned in this manual:
- Information security manager–one who must create and update the information security framework, strategy and action plan(s).
- Risk manager in charge of risk assessment and mitigation.
- Program manager responsible for planning, staffing, monitoring, and bringing to completion a constantly ongoing series of projects to implement security controls and initiatives.
- Line organization manager with responsibilities related to the information security organization’s budget, personnel appraisals, hiring, firing, and promoting.
- Advisor to other organizations (including executive-level management) concerning a wide range of security and technical issues.
- Compliance manager regarding information security-related issues.
- Incident response manager.
- Liaison with other closely-related areas such as audit, physical security, legal, and physical security and the person who must assign security-related roles and responsibilities within these other areas.
- The monitor of change control processes and person who advises others within the organization of new security risks that surface in connection with changes.
- Consultant to projects throughout the system development life cycle.
- Creator of and first line of enforcement for information security policies and standards.
I could keep going, but I think that by now you see the point. The majority of information security practices of which I am aware has suffered austere staffing cutbacks over the last few years. Unfortunately, CISOs are expected to perform a large number of extremely critical roles that were previously at least in part assigned to subordinates within information security organizations, thereby relieving the CISO of having to try to do everything. CISOs now simply have way too much to do. Twelve-hour workdays are not all that far from the norm for CISOs nowadays. Suffice it to say that part of the trials, travail, and tribulations of a CISO is having an overwhelming amount of work. When funding is available, contractors and consultants can bridge the staffing gap, but they cannot entirely compensate for having insufficient personnel resources to perform information security-related tasks.Faced with too much to do and insufficient staffing, CISOs are forced to choose among potential roles according to priorities, which will vary according to business and operational needs. Roles which are most directly related to information security governance are likely to be of the highest priority, whereas others such as providing input to projects are likely to be very important, but not sufficiently important to make the list of the top five or six. CISOs who have information security steering committees at least have the advantage of being able to approach committee members concerning priorities to obtain feedback concerning which roles are of the highest priority.So here is a toast to CISOs everywhere out there. Many of you are understaffed, underappreciated, overworked, and underpaid. Will things get better for you if and when the economy improves? I surely hope so.