“Watch your back” or “I've got your back”?
Chief Information Security Officer or CISO – sounds great, but is it? It sounds like an amazing position if all goes well… But what if your organization suffers from a large-scale cyber incident? Unlike other C-level positions, things may have personal consequences rather quickly for the CISO, mainly due to the enormous risk and impact of cybersecurity incidents. “You would take care of it, right?” “How could we have been hacked?” “I thought we had a good CISO?!” Unfortunately, judgments are made in split seconds.
CISO jobs
CISO job descriptions differ from organization to organization and are far from standardized. In some organizations, they are mainly about developing and challenging the information security strategy, defining policies, advising the executive board, and monitoring certifications achieved. In contrast, in other organizations, the CISO role comes with a much more operational focus, like the implementation of Endpoint Detection & Response (EDR) technology, the selection of awareness product partners, and the handling of abuse notifications. Well, that’s quite a difference!
Of course, you can find generally accepted job descriptions and mind maps, but in the end, there's a huge difference in expectations of the CISO role per organization. That comes as no surprise, considering that (a) cybersecurity is such a broad subject, (b) the size and industry of organizations dictate the actual cybersecurity demand, and (c) our digital way of working is fully intertwined with every aspect of an organization. And that’s where the complexity really starts – the ‘what and how’ differs per organization, so it is basically impossible to give a ‘one size fits all’ definition.
The five-legged sheep
The Dutch saying “looking for a sheep with five legs” means that people want a “Jack of all trades.” But in fact, it’s about looking for the impossible, somebody who doesn’t exist. And we see this daily – the list of demands and wishes for CISOs is so incredibly long that the only connection seems to be that it’s all about cybersecurity: security operations, privacy, compliance, identity & access management, risk management, board advisor, auditor, etc. You name it!
Is the CISO a specialist?
There’s no single answer to this question because, in most organizations, you’re seen as the “security go-to person” of the company. But if we consider that the CISO profession involves so many activities and responsibilities, can you actually be a specialist? Next, the CISO role has shifted dramatically with the rise of cyber attacks. CISOs are now expected to step out of their advisory comfort zone and be more proactive in identifying and preventing cyber threats. In addition to developing and implementing security policies, the CISO needs to come to the table with a deep understanding of business operations, objectives, and security strategies that are both effective and align with the overall business goals of the organization.
In daily practice, I’ve seen many CISOs struggling, mostly due to their split responsibility, being both a C-level manager who is expected to deliver strategic vision and guidance and, at the same time, the "go-to person" with a deep operational knowledge of cybersecurity. Precisely because of these high and often unrealistic expectations, it is not always easy to say that you’re not the “Jack of all trades” that they expect you to be. For example, are you able to draw up an Incident Response (IR) plan yourself based on online documentation, or is it perhaps better to ask an experienced IR specialist? If you decide to outsource parts of security operations to a service provider, can you make the right decisions between DIY and outsourcing? You better make sure to have some experts supporting you on topics like these.
It’s getting personal
Unfortunately, “naming & shaming” is a very common phenomenon in cybersecurity. When things go wrong, for example, because of a large-scale incident, “Bachelors’ wives and maidens’ children are well taught.” Everyone pretends to know what the organization concerned did wrong, or even worse, what their CISO did wrong. You also see this phenomenon amongst security specialists in companies facing gaps in their cybersecurity posture: “This may go terribly wrong, so I better leave here because I don't want to be blamed.” This behavior is totally understandable but shocking: how can you as an individual be blamed for the fact that something has gone wrong while the playing field of cybersecurity is so complex?
To draw the parallel – when a company goes into bankruptcy, people often talk about poor products, economic downturns, cash flow issues, or unexpected external events. Do we blame the CTO or the CFO? No. And now, back to large-scale cybersecurity incidents, do we blame the CISO? Yes!
Conclusion
Besides cybersecurity, there is no other domain in organizations that could result in ‘game over’ within a split second if things really go wrong. According to several insurance companies, already 1 in 5 businesses will fall victim to a cyber incident in 2023. If we collectively recognize that this risk is so tremendously high, as far as I am concerned, this also means that we cannot and should not hold an individual accountable for an incident.
Transparency and integrity are crucial to understand, support, and learn from each other. Fortunately, there are more and more advocates for sharing lessons learned from cybersecurity incidents. After all, it is no longer a question of whether you will have to deal with a cyber incident but when. Cybersecurity is a joint responsibility. In 2023, cybersecurity should be part of the DNA of the organization’s entire management and all underlying departments.
Cybersecurity is such a broad subject. The five-legged sheep doesn’t exist, and it involves actively sharing knowledge and skills inside and outside your organization. I, therefore, strongly believe in collaboration, which is why I support the CISO community.
Rick Hofstede is Cybersecurity Expert and Founder of Cybermeister