The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.
Cyber security is a fledgeling compared to industries like risk management—Lloyd’s insurance was founded in 1688! The CISO title is even younger, first appearing around 2005. But the role has still never been clearly defined, and every CISO is working differently.
Defining the role isn’t easy when the person hiring the CISO can be wildly different. CISOs report to CEOs, CIOs, CTOs and more, and the skills needed depend on the nature of the business and who they report to. CIOs and CTOs want a technical advisor, while CROs tend to address problems from a risk management perspective. CEOs just want the world—yesterday.
It comes as no surprise that CISOs are typically under a lot of pressure, and this leads to regular rotation of roles, and attrition within security departments. However, this could be stopped if CISOs were given more autonomy and responsibility.
Reporting lines do not dictate power or the value of a role, but when most CISOs are still reporting to a technical leader—this limits the ability to be strategic and dilutes value. For the CISO role to be on a par with other technical leaders, we need the ability to challenge CIOs and CTOs, to ensure security isn’t bullied into accepting risk to meet the demands of agile IT projects. The way CISO roles are typically arranged today, we’d be fortunate to be in a situation where collaboration exists. And when it’s not—we are forced to accept mounting risk without the tools to address it.
If a CISO is lucky enough to hire their own replacement—we’d create the job description, and naturally the ideal successor would tend to have a similar skillset… leaning on the technical side. While it’s essential to understand what security teams are doing, to grow the CISO’s influence—developing soft skills are essential, like stakeholder communication, business acumen and strategic planning. If not, we’ll be stuck in the SOC and kept out of the boardroom for another 20 years.
For CISOs looking to have the most influence in their organisation, look for the following:
This blog was first published in The Register.