Security Organizations must evolve. The CISO cannot be credible on all fronts
A recent comment I read on Linkedin made me think.
It was in response to a post on zero-day vulnerabilities and software patching, and roughly translated from the French, it read as follows:
“One day, you stand in front of the Ex Co having to explain how the millions spent on cyber over the years have improved their level of protection; then you go back to your desk to discover that 3 new vulnerabilities have just turned up which need patching across the entire estate; Welcome to my world !!!”
While I accept this reflects the life of many CISOs, it attracts comments at two levels:
First of all, if the “millions spent on cyber over the years” had been spent in the right places, none of the issues highlighted here should be a challenge for the CISO.
A cyber security practice needs to be a structured practice built around people and processes, supported by technology. Reporting capabilities should be embedded in it and inform any management decision up to the board. You build those over time. It requires mid to long-term vision and leadership from the CISO, but that’s how the “millions” should have been invested over the years: People, Process THEN Technology.
Of course, many cyber security practices have been built the other way round: Jumping straight at the first technology solution every time something happens or at the first sight of an audit point, buying some tech product to address alleged quick wins, then wrapping processes around the capabilities of the product … just to discover that you can’t justify the resources to operate the way the product needs to be operated (before complaining endlessly about management and budgets; at which point the CISO generally moves on to their next job…)
This cannot carry on. Short-term focus on non-existent quick wins has led to a product proliferation problem which is simply killing security operations practices, and many large organizations are nowhere near the level of security maturity they should have reached with regards to the amounts invested over the last 10 to 15 years.
Many CISOs are simply trapped in endless projects, tactical games and firefighting. They struggle to see the bigger picture, while at the same time, many senior executives have now entered the “when-not-if” era and expect real action.
Meanwhile, breaches keep happening and over time, distrust sets in between business and security leaders. This spiral of failure also breeds a talent alienation dynamics and security problems can rapidly become self-perpetuating.
Organizations which find themselves in such situation must look back without complacency at the roadblocks which have prevented progress in the past around security matters: Invariably, they will be rooted in culture, governance and managerial short-termism.
To break this deadlock, they will have to attract and inject raw management talent into the security equation, and to that effect, current security organizations will have to evolve. Which takes me to my second point, in relation to the Linkedin comment I started from.
The CISO role which it refers to – although very real today in many organizations – is inherently flawed.
Nobody can be reasonably expected to be GENUINELY and EFFECTIVELY credible from the board down, across all managerial and technical layers of the enterprise, and transversally across all its silos, from HR to Legal, Procurement or Compliance – and of course across all geographies and cultures for global firms.
This profile simple does not exist (or is so rare it’s not worth looking for). Yet, in many organizations, it is a little bit what is expected of the CISO, partly because of the inherently transversal nature of security, partly because no-one else appears to be relaying the security message.
This also cannot carry on: Security organizations in large firms have to restructure themselves in depth to encompass and structure all relevant disciplines and allow each of those to develop as it should, at its level.
Within a structured organization, roles should be defined and distributed to attract the best: The person talking to the board on security matters and the person making sure the IT estate is patched should not – and cannot – be the same.
In this context, the traditional role of the CISO will have to evolve, and probably leave the centre stage to a broader CSO role, which could be used to attract and develop a new generation of leaders into security roles.
This is absolutely necessary to address the transversal nature of security – and privacy – matters in large firms, and break the spiral of failure which has plagued cybersecurity for the last decade.