Constant firefighting downgrades the role and the CISO must fight to avoid its gravitational pull
With regards to many other C-level roles, the Chief Information Security Officer (CISO) position is a fairly recent creation for many organisations. Although it started to emerge over 15 years ago, it has been spurred further recently by growing concerns over cybersecurity and highly publicized data breaches. Figuring out its right place within organisations is still quite a hot debate between management and security experts
How an incoming executive needs to approach such a complex role is also a hot debate. Many experts – including us – have written about this and have framed the topic using the “first 100 days” journalistic cliché. In our own series, we took issue with the fact that most consultants’ analysis and suggestions fail to consider the incoming CISO within the broader context and organisational complexity of the firm.
In large organisations, no function exists in a vacuum, and getting anything done requires aligning your strategy with other stakeholders’ priorities, business cycles, and budget cycles. It will always take time, as well as political and managerial acumen, but nothing in our opinion that could not be set in motion to an extent with the first 6 months in office.
In practice, the real challenge always lies in balancing strategic longer-term views with the tactical aspects of the day-to-day of the function: It is unavoidable that an amount of time during the CISO’s first months in the job will be spent dealing with tactical firefighting and that it will impact their ability to elevate to the level required to start weighing in on key strategic issues.
As one of our contributors pointed out – a CISO at a large services organisation – “the 100 days often end around day 3”.
There is no way around this: If you want to stay in place in this kind of role for more than 100 days, you must deal with the day-to-day emergencies; you must meet expectations before you can transcend them.
This is especially true when the CISO reports directly to the CIO – which often results in concentrating the role on its most technical dimensions and is accentuated further by the short-termist culture of many IT executives.
It is a context where it is easy for the CISO to be tempted to give up and think that tactical issues will always win and will prevent the role from ever elevating beyond mere firefighting. Even worse for organisations, this situation is often self-perpetuating: A tactical mindset breeds tactical attitudes, and short-termism is hard to escape once you start indulging in it.
Taking this somewhat fatalistic view to its logical conclusion, it becomes the type of situation where the positioning of the CISO within the organisation is bound to evolve and move under a CSO type-of-position whose responsibility would be to elevate the transversal topic of cybersecurity to address the more and more pressing questions from the board and senior stakeholders on these matters.
This would leave the CISO with the downscaled but unambiguous task of dealing with the day-to-day firefighting aspects of the function, while it becomes the role of the CSO to push strategic cybersecurity initiatives throughout the organisation.
While in our opinion the emergence of CSO roles is unavoidable in many large organisations due to the increasing pressure on boards around cyber security matters, and the emergence of broader transversal topics such as resilience or privacy, it is achievable for the CISO to elevate their position to a highly strategic and respected level, but it will require strong managerial acumen and personal gravitas to know how to deal with the tactical while aiming for strategic goals. It comes down to the personal profile of the individual involved and their experience: This is certainly not a junior role anymore in any way.
It will be a bumpy ride, especially at first, as day-to-day issues will inevitably arise. They will distract and could ”nudge you off course”, as another of our contributors – a CISO in a large airline organisation – put it, but the challenge is to get back on course and carry on.
Meaningful change will happen over time, through hard work, full commitment to a transformative agenda and maybe bottom-up approaches, but always looking for top-down drivers and leveraging on them when they appear. Once achieved, the long-term rewards – both tangible and reputational – of the transformation delivered will be for the CISO to grab.
I am not sure where you are getting your info, but great topic. I needs to spend some time learning more or understanding more. Thanks for great info I was looking for this information for my mission.
Good day! This post couldn’t be written any better! Reading this post reminds me of my previous room mate! He always kept chatting about this. I will forward this page to him. Pretty sure he will have a good read. Thanks for sharing!
Hi there! This post couldn’t be written any better! Reading through this post reminds me of my previous room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Thank you for sharing!
Hello, you used to write excellent, but the last several posts have been kinda boring… I miss your great writings. Past few posts are just a little out of track! come on!
I haven¦t checked in here for some time since I thought it was getting boring, but the last several posts are great quality so I guess I will add you back to my everyday bloglist. You deserve it my friend 🙂
Pretty! This was a really wonderful post. Thank you for your provided information.
Thank you so much for giving everyone remarkably splendid opportunity to read articles and blog posts from this web site. It’s usually very kind plus full of amusement for me and my office friends to visit your website no less than 3 times in one week to read the latest stuff you have. And definitely, I’m just actually fascinated concerning the exceptional points served by you. Selected two facts in this article are undeniably the simplest I have ever had.
I’m not sure why but this website is loading very slow for me. Is anyone else having this issue or is it a problem on my end? I’ll check back later and see if the problem still exists.
Perfect work you have done, this site is really cool with superb information.
Hi my friend! I wish to say that this article is amazing, great written and come with approximately all important infos. I?¦d like to look more posts like this .
Fantastic items from you, man. I’ve remember your stuff previous to and you’re just too great. I actually like what you’ve obtained here, really like what you’re saying and the way in which during which you say it. You make it entertaining and you still take care of to stay it wise. I can not wait to read far more from you. That is really a great site.
of course like your web site however you need to check the spelling on several of your posts. Many of them are rife with spelling issues and I find it very bothersome to inform the truth however I will definitely come back again.
Really good info can be found on website. “That is true wisdom, to know how to alter one’s mind when occasion demands it.” by Terence.
I have learn several excellent stuff here. Definitely value bookmarking for revisiting. I surprise how a lot attempt you set to create this kind of magnificent informative website.