Chief information security officers (CISOs) today have replaced chief information officers (CIOs) as the most under-valued C-level executives. In fact, according to research from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), nearly one-third (29 percent) of corporations today still do not have a CISO role or its equivalent. And for those that do have such a role, the CISO is often relegated to “glorified administrator” status, rather than strategic business enabler.
This is why CISOs are almost always fired or “resign” after major data breaches. When shareholders and customers demand blood following a breach, the CISO is the sacrificial lamb, even if there is no realistic way the CISO could have prevented the breach under the operating circumstances (which could include insufficient budget, headcount, and business visibility). This is often a self-defeating act, since the CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.
In many ways, the plight of today’s CISO mimics that of CIOs in the 1990s. Back then, the CIO stereotype among business executives was “the guy crawling around under the desk connecting cables.” And, like today’s CISO, the CIO was only noticed when things went wrong. Today, CIOs have taken their rightful place in the boardroom as digital business has become a key driver to business strategy across industries. According to an IDC survey, at the end of 2017 two-thirds of Global 2000 CEOs had digital transformation at the center of their corporate strategy. (As Domino’s Pizza CEO Patrick Doyle has famously said, “We are a tech company that happens to sell pizza.”)
However, enterprises have been slow to embrace security as an enabler of this digital transformation. Of those enterprises that have a CISO role, only 44 percent of the ESG/ISSA survey respondents indicated their CISOs had an adequate amount of interaction with CEOs and boards of directors. As a result, CISOs today are often expressing the same lament as CIOs in the 1990s: “I can’t get a seat in the boardroom.”
Cybersecurity remains a secondary risk
Cybersecurity, amazingly, is often not a top-tier priority in enterprise risk management. There are several factors driving this phenomenon, including:
- Many organizations have not established a consolidated point of responsibility for governance, risk, and compliance, so cybersecurity operates in its own silo, with business executives often blissfully unaware of potential cyber risks until something goes wrong (aka, a data breach).
- The financial risk of cybersecurity has historically not been as severe as traditional forms of risk, such as lawsuits, supply chain disruptions, competitive issues, etc., so executives have not raised cybersecurity to its appropriate level of emphasis. This is becoming increasingly dangerous as regulations with real teeth, such as GDPR, are enforced, and cyber-criminals become more insidious with ransomware and other attacks that can cause damaging business disruption.
- The requirements of the business often trump the requirements of security, so enterprises will forge ahead with digital transformation initiatives without undergoing the appropriate security checks. This has dramatically expanded the enterprise “attack surface” as enterprises adopt new IT paradigms, such as cloud and mobile, without enacting appropriate security measures.
These issues have given security a bad name – they’re “the guys who always say no” to new digital business projects − so many business leaders either do not think of inviting CISOs into strategic discussions or deliberately avoid doing so to prevent security roadblocks to new initiatives.
This dynamic exposes many enterprises to potentially devastating consequences. And, in this age of GDPR, California’s Consumer Privacy Act, and next-generation ransomware and denial of service attacks, a firm’s ability to provide security is also becoming a matter of survival.
Put it all together, and many CISOs today exist in environments where they are not understood by business executives and thus are not being included in business initiatives until it is too late and security vulnerabilities expose the enterprise to cyberattacks and compliance violations. This is all happening amid a global cybersecurity skills shortage that has left staffs overworked and focused on mundane “keeping the lights on” activities, rather than more strategic pursuits that could advance the business (like securing that next digital transformation initiative). And to top it all off, CISOs remain the most convenient scapegoat when bad things happen, so data breaches hang over their heads like a career-ending Sword of Damocles.
Time to take a walk
What’s a CISO to do? Simple – get up and take a walk (literally, not figuratively).
CISOs should follow the management technique pioneered by Bill Hewlett and Dave Packard in the late 1950s: management by walking around. They should make a point of getting outside their security bubble and walking around the company, talking to businesspeople about their latest initiatives and goals.
This is the single most common piece of advice I give CISOs – because “bubble entrapment” is the most common malady I see. Walking around and talking to businesspeople not only gives CISOs valuable information that should be factored into security strategy; it also gives them the opportunity to educate business leaders that they are not roadblocks or “necessary evils” and instead can dramatically improve the long-term likelihood of success of business initiatives. They can educate everyone — from product managers, to the CEO, right up to the Board of Directors — that digital transformation is not the ultimate goal of the business; secure digital transformation is.
Walking around will also be a valuable education in speaking plain English. Many CISOs have difficulty communicating their worth to business executives, simply because they have not mastered the ability to express their operations in terms that are meaningful to those executives. Telling the CFO that you successfully thwarted 2,345 attempted intrusions onto the network does not mean anything in business terms. Telling the CFO that your data security project will protect the company from GDPR violations that could amount to 4 percent of annual revenue will mean a lot.
To create a more sustainable and rewarding career path, CISOs need to make that same transition CIOs did around the turn of the century – the transformation from “techno-geek” to “businessperson who’s also a technology expert.” This is why many of today’s most successful CISOs have MBA degrees. According to a 2018 Forrester Research report, 43 percent of Fortune 500 CISOs have an advanced degree, and about half of those are MBAs. Leading CISOs know they need to be businesspeople first, technical experts second.
This transition is not going to happen organically. CISOs have to make it happen. Organizations that do not include the CISO in business discussions are not going to suddenly “see the light” and roll out the red carpet at the next board meeting. Instead, CISOs need to make themselves known as professionals who understand the business and can take the risk out of next-generation digital initiatives. Getting an advanced business degree will certainly help in that effort. But degree or no degree, the single most effective way to change the conversation around security is simple: Get off your butt and walk around.
Joseph Schorr is a Global Executive Services Director at Optiv Security based in Denver. He works with large-company CISOs to solve their most important security issues.