Ciso, We Have A Problem

August 17, 2022

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us


Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians, admins. It’s been my overwhelming experience they try hard to make a difference, to do the right thing in the right way. With every passing year, they’re told to do more with less – and they often succeed.

Most infosec leaders aren’t succeeding, however. They’re failing. They’re lagging far behind.

“Most CISOs appear to not feel personally responsible for – connected to – their mission, their purpose, the larger goal of their leadership. They seem lost, rudderless.”

The symptoms range from troubling (not speaking up when something is possibly risky or worth investigating), to dangerous (approving business initiatives that are known, demonstrably unsafe, illegal, or immoral), to downright destructive (burying evidence of data breaches, falsifying pentest results, firing whistleblowers, etc.).

Here’s why it’s happening, in my experience.

CISOs (some would say through no fault of their own) care more about how they appear to CIOs and Boards, than they do about protecting their organization and its critical data assets and human resources. Why? Because they’ve been forced to: they’re only in place for a year or two, their authority is limited, and their ability to effect change is severely constrained.

“Not surprisingly, courage is in short supply, and passion for the job is even rarer. If the nail that sticks up gets hammered down, CISOs have done what they could to keep a low profile.”

blue lock

Here are three ways we’re worse off now than we were eighteen years ago when I took my first job in the infosec industry:

  1. Cloud Blues. CISOs, who have traditionally worked to secure perimeters, implement on-prem controls, and monitor systems and assets for compromise, no longer have control over the infrastructure. Everything is in the Cloud, or moving to it. CISOs could have pivoted to a more proactive role determining risk appetites, new control landscapes, and massively overhauled vendor risk management processes, but they haven’t. What have they done? They’ve largely watched from the sidelines as Cloud apps have swelled in number and importance. CISOs have been told to safeguard these apps — apps they didn’t evaluate, test, or select, and into which they have limited visibility. All along, CISOs have remained the organizational flashpoint – scapegoat – for data loss.
  2. Security Subordinates. For decades we’ve been discussing how CISOs should report to *anyone* but the CIO. They still do. I can count comfortably on two hands which CISOs at our 100+ active customer organizations are treated as “cabinet level” leaders, leaders who are consulted early and often before others determine the direction of an idea or strategy. All the other CISOs I know? They fall on a continuum from paper-pushing bureaucrats (“did you fill out the change management forms in triplicate?”) to security product budget coordinators (“hey Tom from XYZ Corp. is here – free steak dinner, anyone?”) to “The sky is falling!” Chicken Littles who preach doom and gloom at every turn.
  3. More Risk Than Ever. Are we more secure or better protected than we were in 2001? No, we’re worse off: exponentially more data, swelling Cloud usage, ubiquitous mobility, largely open access to external and third parties, and serious challenges with identity, authentication, and authorization. In 2020, the “good guys” are weaker politically and organizationally than ever before, while attackers are better organized, better paid, and more successful.

There isn’t one single answer to our problems, but there are some high priority items that need to change immediately:

  • Au revoir to CISOs. Centralized infosec is dead, and along with it the role of the CISO. It’s hard to say those words, and harder still to read them. We need to admit defeat, get rid of the title and position, downgrade and decentralize it, and replace it with functional risk managers that are much closer to daily operations: PrivacyHR SecurityCybersecurityData ComplianceData ProtectionCloud App SecurityThird-Party Vendor Risk Management. Have these people report to different, non-IT leaders in Legal, Compliance, Audit, HR, Operations, and Finance – but bring them together in a single working body with real decision-making authority that answers to the Board (and no one else).
  • Pump up the passion. Hey CIOs — if you’re going to keep the role of CISO, please consolidate his or her power, tenure them for a minimum of two years (three or four is better), have them report directly to the Board, and give them explicit amnesty in the event of a data breach or security incident – to empower them to a) speak truth to power and b) effect uncomfortable but needed change. No one does the right thing when they’re running scared.
  • Bake it in. Re-engineer your business management strategies to include and mandate security/privacy/risk involvement, not so those individuals can say “no”, but so they can say “yes” in a way that is competitively aligned and manages risk throughout the entire lifecycle (inception to maintenance). Stop wagging your finger and start figuring out how to make it work.
  • Baby and bathwater. Revisit your entire IT security budget spend based on empirical evidence regarding control coverage, technology efficacy, tool duplication, and optimal configuration/usage/reporting. We have way, way too much technology, and not nearly enough human expertise.
  • ERM for the win! Commit yourself to Enterprise Risk Management (ERM). Data risk cannot be siloed: it pervades every function in every organization. Data risks should be at the top of most companies’ consolidated risk registers, but to get there, infosec professionals need to consider how their risks compare and relate to other organizational priorities.

“CISOs have been marginalized – and accepting of that marginalization – for far too long. It’s time to make big, bold changes.”

I know we can rededicate ourselves, as an industry, to protecting our people and safeguarding our data. But we need stop talking about our challenges. Let’s act to reinvent infosec leadership today, together.

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022