In the aftermath of the Target breach, there has been a lot of press on the need for a Chief Information Security Officer (CISO) in the boardroom. The Wall Street Journal, the NY Times, Forbes, and a host of other business publications are calling for a senior information risk executive to have the proverbial ‘seat at the table’ in the boardroom. While I appreciate how all of these major publications have suddenly ‘got religion,’ I have to wonder what all of the excitement is about.
While many in the role of CISO/CSO do not have the authority they need to adequately perform their duties, the successful ones have indeed figured out how to progress from fighting the daily fires to being a trusted business partner. Those CISOs/CSOs not only solve technology problems, they are key contributors to future strategic decisions, providing insight into unanticipated risks in both business and information risk management.
A new CISO often is walking into a minefield – either a breach or incident has occurred and they are being brought in to clean up the mess. Or possibly, the company has decided to be proactive after years of neglect or ignorance, leaving a fragmented infrastructure that is nearly impossible to secure in a timely fashion.
All too often, executives hiring a CISO are looking for a quick fix – someone to own the title, slap a few firewalls in place, and declare the business ‘secure.’ The reality is, more often than not, it takes years – and several budget cycles – to fix a disparate, neglected infrastructure.
What is frequently overlooked is that for CISOs to be truly successful, they need to understand the business and organization they just joined – not just the company’s industry vertical.
When first taking over a prior position, I spent the initial six months touring the globe visiting our largest offices in the world. The singular goal of those trips was straightforward – to understand the challenges each office faced, and how I could help.
I also was prepared for the inevitable – taking the proverbial bullet for past mistakes and prior security efforts that went bad. I was quite literally screamed at, threatened, ignored, and stood up – all because I was stepping into an environment where a lack of executive support had led to poor security decisions, causing functional business impact on employees around the world.
Make no mistake – there was a palatable disdain for Information Security and the impact poorly designed controls were having on their jobs was easy to detect. It was a recipe for disaster, and, in their eyes, I was the one responsible. They held me responsible for past indiscretions and future actions, and they were determined to make my life as miserable as Information Security had made theirs.
Those first six months, and even the first year, was filled with fire fighting, trust building, and consensus gathering; and I wouldn’t have changed it for anything. The only way I was going to gain their trust was by earning it, and they went out of their way to ensure I had plenty of opportunities to do just that. By the end of my tenure, those same people who screamed at me in the beginning called me to thank me and wish me the best.
It goes without saying that the irrefutable nature of a CISO’s world is technical. Many of us have grown up in the technical world, and have ourselves been challenged to describe what we do to the layperson. But as our role changes from packet jockey, to ethical hacker, to true Risk Executive, so must evolve how we articulate true business risk when everything we do these days is electronic.
In his book ‘How to win friends and influence people;’ Dale Carnegie listed 30 ‘Principles’ of achieving success. One of the ones I keep in mind the most is Principle #8: “Talk in terms of the other person’s interest.”
Whether it’s the new colleague who thinks changing a password four times a year is ridiculous, or it’s the Board Director who has virtually no understanding of technology, much less security, speaking in their language, explaining risk from their perspective is a critical success factor.
A successful CISO is not the one who can knock out a Perl script over coffee, but one who can get a decidedly non-technical Board member to understand the risks and challenges of today’s electronic, interconnected world. And the only way that can happen is by understanding their world and speaking in terms of what interests them.
One has to wonder if its very dissimilar from the discussion early adopters of seat belt usage had. Every car produced since 1966 had seat belts, but it took until 1984 for laws to be passed mandating passengers to wear them.
One has to ask, did the average person not understand the risk of a car crash? Of course they did. They just had an ‘it won’t happen to me’ attitude when they climbed into their massive, all steel land cruisers that could almost drive through a wall without a scratch. It wasn’t until the advent of the ultra-fuel-conservative tin-can-on wheels when the true benefits of seat belts were recognized.
While admittedly, the analogy is a stretch, is this truly unlike what we see in boardrooms across the country today?
For decades, technology infrastructures were protected from the outside world through the sheer lack of viable connectivity options. The advent of the Internet brought mostly email and web access which, even with the headaches of spam and nuisance viruses, were fairly insulated from significant business disruption.
Executive boards had little reason to invest in, much less care, about Information Security. Then one day, millions of credit cards are stolen, hundreds of thousands of health records disclosed, countless emails gone and websites defaced or DDoS’ed.
If you look at your average Board member, is it really surprising at all that they weren’t prepared for the radical shift in business process? They have been running a business status quo for years and then, all of a sudden, the proverbial ‘tin-can-on-wheels’ shows up and turns their world upside down.
One could argue the CIO should have seen it coming. That auditors should have raised it to the risk committee. But the reality is, without someone who understood the intersection of the business risk and technology risk, most organizations were left unprepared for such a shift in business process.
Over the next several years, there will be a rapid elevation in the role of the CISO, and in fact, this will open many career opportunities for technical managers to take on the CISO role. The ability of these managers to transition from their technical expertise to a broader skill set where they are able to communicate the impact of technical risks on the bottom line will be a critical success factor and likely one of the biggest challenges faced during their careers. Their ability to “Talk in terms of the other person’s interest” will be a telltale sign of a successful risk executive – and one we all need to be proficient in.