Every CISO is one data breach from being fired. Or one disruptive DDoS attack. Or one theft of information. Or one bad audit result. Or one compliance investigation. Or one letter from the Federal Trade Commission or other regulator. Or one loss of a CEO or Board of Director’s member’s personal data.
It only takes one.
Usually (but not always) a big one. But not always. They can also be fired for being too aggressive in demanding resources, or for not being aggressive enough. Or for impacting performance or “business process,” or for saying “no,” or for saying “yes.”
For insisting on certain precautions, or for not insisting on those precautions. For implementing mobility, or for not implementing mobility. For insisting on being present at the planning stages of new products or services, or for not insisting on being present at the planning stages. Heavy is the head that doesn’t wear the crown, but that is responsible for the crown jewels.
The four worst words a CISO can hear, usually at 3 AM, are, “oh, by the way.” Typically followed by, “it wasn’t my fault.”
So what’s a CISO to do?
The CISO is in the unenviable position of being responsible for the privacy of all of the data within the enterprise, as well as the privacy of customer data, and that of business partners. This despite the fact that the CISO rarely has the authority to impose his or her will on the security of that information.
Businesses adopt new strategies, products or implementation like mobile devices without consulting the CISO about the security aspects of the implementation. Why should they? I mean, the CISO is only either going to say no, or delay the project. You know, it’s easier to get absolution afterwards than permission before, right?
So what keeps a CISO up at night? Everything.
They are worried about people who don‘t follow the clearly defined and reasonable rules. About users who click on what is clearly a phishing email; about those who don’t tell them or their staff about computers that are behaving badly, about unreported lost or stolen devices, about people who bypass security protocols (like compulsory encryption), or who share data in unapproved and unsecure ways.
CISO’s worry about the security of customers’ networks, clients, vendors and suppliers. They worry that the vendors’ products don’t work as advertised. They worry that they won’t know about an attack in sufficient time to react. That the company won’t dedicate the resources to prevent the attack, and then won’t dedicate the resources to respond until it’s too late.
CISO’s worry about the employees who don’t take the security training, and those who do, but don’t take it seriously. They worry about those who don’t understand even the fundamentals of security, and don’t care cause it’s “not part of my job” and not something their bonus or salary depends on.
CISO’s worry about zero day attacks and unpatched systems. They worry about “experimental” projects outside the corporate firewall. They worry that someone – anyone – will say or do something that will make the company the target of an attack. They like days when nothing happens. And those are few and far between.
CISO’s worry about being compliant with all of the privacy and security regulations in all of the countries and for all of the services the company is engaged in. They worry about even KNOWING what these regulations are, and when they have changed.
They worry about even KNOWING the services the company is engaged in. “Oh, by the way.” CISO’s worry about what the morons in Contracts are agreeing to. “We agree to comply with YOUR privacy and security policies…” They worry about what the morons in Legal are doing. They worry about what the morons in HR are doing. Like SpaceBalls’ Dark Helmet, they are surrounded by a**holes. Well intentioned, and well meaning, but it’s not their job that’s at risk when the network is attacked.
CISO’s are worried that they have too many policies that are too complex for anyone to read or understand them. They are worried that they have too few policies to cover new and emerging trends like BYOD, work from home, mobility, cloud, or the Internet of Things. And they are worried that these policies haven’t been reviewed in a decade or more. Or that people don’t know what’s in them.
CISO’s are worried that they don’t have the budget they need. And that the fact that they don’t have the budget they need will lead to the conclusion that the company is “negligent” in providing security.
CISO’s are worried that other similar companies are doing a better job at security. Or that they are doing a worse job.
CISO’s are worried that they don’t have enough information to do their job, that they don’t know about the latest vulnerabilities or trends in security. CISO’s are also worried that they have too much information, and that they can’t even act on the information they have.
CISO’s are worried that they cannot attract and retain the quality of people they need to do their jobs, and that the company is using untrained sys admins to perform what really is a security role.
CISO’s are worried that the company is not backing up its data frequently enough or securely enough, and that the company is backing up and retaining its data for too long.
CISO’s are worried that the company is not deploying a cloud strategy, and that it is.
CISO’s are worried that the company is relying on outsourced vendors for critical storage, monitoring or security functions, and that the company is not relying on these outsourced vendors.
CISO’s are, by their nature, worriers.
So pretty much everything keeps the CISO awake at night. And during the day.
The real trick for the CISO is to manage. Manage expectations. Don’t think that if you do everything right, you won’t get hacked, cause you know you will. Do what Scotty does – under promise and over perform “I ‘canna give you warp 10 Cap’n..”
Manage people and give them incentives to do the right thing. Don’t be “Mr. NO” but rather be “Mr. KNOW” and find a way to make the business do what it wants to do. Unless what it wants to do is really stupid. Then be Mr. NO. And enlist allies. Audit, legal, HR. Manage vendors and suppliers, cause they will kill you. Keep lines of communication open.
And keep your resume up to date. You know, just in case.