Stephen Moore, Vice President and Chief Security Strategist at Exabeam, discusses three of the most common pitfalls that today’s CISOs encounter, the issues they can cause and how they can be avoided.
Chief Information Security Officers (CISO) rarely have an easy time of things. They are responsible for safeguarding every piece of corporate, employee and customer data within an organisation around the clock, against an army of unknown adversaries that are constantly ahead of commonly deployed defences and controls. What’s more, they are usually the first head on the block if anything does go wrong. It’s a highly stressful job, often a thankless one as well. For that reason, it’s little wonder that the average tenure of a CISO is little more than two years, with many not even lasting that long.
On the other hand, the very nature of the role means anyone willing to take it on is likely to be extremely confident and hopefully knowledgeable enough to surround themselves with the right talent. They also tend to have the resilience to withstand high levels of scrutiny – especially if or when a breach does occur.
For an executive whose job it is to prepare for the worst and hope for the best, the unexpected surprises that catch CISOs out and undermine their position are rarely welcome. But the fact is they do occur, often more than CISOs would like to admit. While many may be due to factors outside of their control, poor internal communication, planning or decision-making can play a key part.
Below are three main sources of unexpected surprises – based on personal experience – all of which an incoming CISO should get a handle on as soon as possible, if they wish their tenure to prove the statistics wrong.
Inability to execute a swift security response at the critical moment
A major part of a CISO’s role is putting procedures in place that prepare the company to respond as fast as an adversary is likely to attack. Without this, security failures are inevitable. But even the best-laid plans can go awry.
Here are some realities to consider:
- Incident responses often require swift and decisive action, which can be disruptive to business operations. The rest of the senior leadership team must be on board with this, because the more resistance encountered when it really matters, the more damage is likely to be inflicted. As a CISO, there’s nothing worse than swinging into action, only to be told the required course of action is too disruptive.
- Deploying new security capabilities, especially those likely to help detect and disrupt an adversary, isn’t easy. Sadly, in a ‘normal’ world they can take well over a year to deploy and configure – during a breach less time will be provided. Furthermore, even an endless supply of budget doesn’t necessarily buy cooperation. Without support from the top of the organisation, and IT peers, security planning can quickly become an ‘expense’ instead of a culture.
Failure to properly align with senior management expectations
It’s critical for any incoming CISO to align with senior management as soon as possible to make sure everyone is on the same page regarding the responsibilities, expectations and goals attached to the role. Have these conversations before the first security failures. Without this kind of due diligence, a CISO could well find himself/herself working to a different set of parameters than those expected by the rest of the c-suite, which may only become apparent when the worst happens.
CISOs should also never find themselves in a position where they have to deliver bad news as a stranger. Proper alignment creates familiarity and visibility, which can go a long way when the security budget wheels need greasing or fast, decisive action is required. Equally, it’s also important for senior executives to remember that the CISO is rarely the only casualty of a major security breach. Strong alignment benefits everyone. Agree on a definition of success for both the programme and the CISO.
Lacklustre c-suite support and visibility when/where it counts
When recruiting a new CISO, companies must be direct and open about the anticipated support the CISO office is likely to receive. They should also provide real visibility into policies and budgets, which doesn’t always happen. Potential CISOs should look at organisational reporting structure for clues as to how security is regarded internally. Often, details such as whether they are expected to report to the leadership team or IT can be strong indicators of the real attitude towards security.
After all, a chain is no stronger than its weakest link and without appropriate support from the top, a new CISO will face an uphill battle from the beginning. Also remember that while budget doesn’t equal cooperation, cooperation is essential for positive results – especially from teams that control the deployment of technology and the adoption of controls.
For CISOs to succeed in today’s hostile security climate, they must be able to identify and address as many of the potential pitfalls surrounding them as possible, both internally and externally. Doing so helps minimise the chance of unwelcome ‘nasty surprises’, which often only appear at the most inopportune moments. Unfortunately, many CISOs fail to do this, making what’s already a hard and stressful job almost impossible.
This article looked at three of the most commonly overlooked pitfalls, all of which can be easily resolved through due diligence and effective communication but if left unchecked can quickly prove a CISO’s undoing. By addressing these challenges head on and leaving nothing to chance, a savvy CISO can quickly find themselves as an outlier in the average tenure statistics.
