CISO, We Have a Problem

Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians, admins. It’s been my overwhelming experience they try hard to make a difference, to do the right thing in the right way. With every passing year, they’re told to do more with less – and they often succeed.

Most infosec leaders aren’t succeeding, however. They’re failing. They’re lagging far behind.

Most CISOs appear to not feel personally responsible for – connected to – their mission, their purpose, the larger goal of their leadership. They seem lost, rudderless.

The symptoms range from troubling (not speaking up when something is possibly risky or worth investigating), to dangerous (approving business initiatives that are known, demonstrably unsafe, illegal, or immoral), to downright destructive (burying evidence of data breaches, falsifying pentest results, firing whistleblowers, etc.).

Here’s why it’s happening, in my experience.

CISOs (some would say through no fault of their own) care more about how they appear to CIOs and Boards, than they do about protecting their organization and its critical data assets and human resources. Why? Because they’ve been forced to: they’re only in place for a year or two, their authority is limited, and their ability to effect change is severely constrained.

Not surprisingly, courage is in short supply, and passion for the job is even rarer. If the nail that sticks up gets hammered down, CISOs have done what they could to keep a low profile.

Here are three ways we’re worse off now than we were eighteen years ago when I took my first job in the infosec industry:

  1. Cloud Blues. CISOs, who have traditionally worked to secure perimeters, implement on-prem controls, and monitor systems and assets for compromise, no longer have control over the infrastructure. Everything is in the Cloud, or moving to it. CISOs could have pivoted to a more proactive role determining risk appetites, new control landscapes, and massively overhauled vendor risk management processes, but they haven’t. What have they done? They’ve largely watched from the sidelines as Cloud apps have swelled in number and importance. CISOs have been told to safeguard these apps — apps they didn’t evaluate, test, or select, and into which they have limited visibility. All along, CISOs have remained the organizational flashpoint – scapegoat – for data loss.
  2. Security Subordinates. For decades we’ve been discussing how CISOs should report to *anyone* but the CIO. They still do. I can count comfortably on two hands which CISOs at our 100+ active customer organizations are treated as “cabinet level” leaders, leaders who are consulted early and often before others determine the direction of an idea or strategy. All the other CISOs I know? They fall on a continuum from paper-pushing bureaucrats (“did you fill out the change management forms in triplicate?”) to security product budget coordinators (“hey Tom from XYZ Corp. is here – free steak dinner, anyone?”) to “The sky is falling!” Chicken Littles who preach doom and gloom at every turn.
  3. More Risk Than Ever. Are we more secure or better protected than we were in 2001? No, we’re worse off: exponentially more data, swelling Cloud usage, ubiquitous mobility, largely open access to external and third parties, and serious challenges with identity, authentication, and authorization. In 2020, the “good guys” are weaker politically and organizationally than ever before, while attackers are better organized, better paid, and more successful.

There isn’t one single answer to our problems, but there are some high priority items that need to change immediately:

  • Au revoir to CISOs. Centralized infosec is dead, and along with it the role of the CISO. It’s hard to say those words, and harder still to read them. We need to admit defeat, get rid of the title and position, downgrade and decentralize it, and replace it with functional risk managers that are much closer to daily operations: Privacy, HR Security, Cybersecurity, Data Compliance, Data Protection, Cloud App Security, Third-Party Vendor Risk Management. Have these people report to different, non-IT leaders in Legal, Compliance, Audit, HR, Operations, and Finance – but bring them together in a single working body with real decision-making authority that answers to the Board (and no one else).
  • Pump up the passion. Hey CIOs — if you’re going to keep the role of CISO, please consolidate his or her power, tenure them for a minimum of two years (three or four is better), have them report directly to the Board, and give them explicit amnesty in the event of a data breach or security incident – to empower them to a) speak truth to power and b) effect uncomfortable but needed change. No one does the right thing when they’re running scared.
  • Bake it in. Re-engineer your business management strategies to include and mandate security/privacy/risk involvement, not so those individuals can say “no”, but so they can say “yes” in a way that is competitively aligned and manages risk throughout the entire lifecycle (inception to maintenance). Stop wagging your finger and start figuring out how to make it work.
  • Baby and bathwater. Revisit your entire IT security budget spend based on empirical evidence regarding control coverage, technology efficacy, tool duplication, and optimal configuration/usage/reporting. We have way, way too much technology, and not nearly enough human expertise.
  • ERM for the win! Commit yourself to Enterprise Risk Management (ERM). Data risk cannot be siloed: it pervades every function in every organization. Data risks should be at the top of most companies’ consolidated risk registers, but to get there, infosec professionals need to consider how their risks compare and relate to other organizational priorities.

CISOs have been marginalized – and accepting of that marginalization – for far too long. It’s time to make big, bold changes.

I know we can rededicate ourselves, as an industry, to protecting our people and safeguarding our data. But we need stop talking about our challenges. Let’s act to reinvent infosec leadership today, together.

Sean Steele is a co-founder and managing partner of Infolock. He has his CISSP, CISA, and CRISC certifications, and believes a great defense beats a great offense any day of the week.

< PREVThe Four Do’s of DLPData Breach Cynicism Takes HoldNEXT >