New rules published by the Securities and Exchange Commission require public companies to have someone responsible for cybersecurity.
What worries me is that some companies are going to be handing out CISO titles just to tick a box, and aren’t really taking cybersecurity as seriously as they should.
I’ve seen a number of instances where companies are looking at a mixed chief risk officer and CISO role. While the disciplines are definitely related, I think that is an inefficient approach, and when you see companies doing that, it’s because they just want to say they have a CISO.
Other companies are thinking about making their CIO their chief security person, too. I would caution that these CIOs are basically being put in a ring of fire, because cybersecurity is a discipline of its own.
For the most part, a lot of the knowledge cybersecurity professionals have comes from being practitioners for years. People who’ve never been focused on security before do not make great first-time security executives.
It’s something we shouldn’t have to say, but companies don’t seem to understand the difference. Many CEOs seem to be focused on the title instead of role, responsibility and capability.
How companies address this new SEC rule, then, will say a lot about how they view corporate responsibility when it comes to cybersecurity.
The advice I would give to organizations getting a first-time CISO or CSO is to enlist the support of third companies that are skilled in hiring and obtaining executives with cybersecurity expertise.
Second, it’s important for companies to identify up front what type of CISO they want. There are various types, some more appropriate for a certain company or industry than others, and we should probably be more honest in the industry and admit this.
As a prime example, there is still a need for CISOs who have strong technical backgrounds and who are able, in smaller companies, to roll up their sleeves and assist an operations team, or look at code, or work in applications or directly with developers.
In larger organizations, you benefit more from a true executive who can translate things to the board, and help drive metrics and KPIs that show value to the organization. The folks who are in between need to figure out the right mix for what they’re able to support.
Companies that are looking to fill first-time CISO roles need to have a solid understanding of what they’re looking for and what their needs are, and be willing to put things in place to provide support and ensure success. The idea that you can hire a person and just turn them loose is untenable. They need budgets, and they need to know what roles are going to support them and how they are going to be leveraged inside the organization.
Candidates, on the other hand, have to be on the lookout for companies clearly checking a box. It’s OK to say no to a job offer if it isn’t aligned to promote their success.
Being able to walk away from opportunities that don’t make sense is something that security people in general need to get more comfortable with, because we are starting to exist in a space where there is more personal and professional risk than ever for security personnel.