A recent story by Tyler Farrar (The CISO code of conduct: Ditch the ego, lead for real) really got me thinking.
While I agree with most of the content and the code of conduct it suggests, I think there are a few points around the roles and profiles of the CISOs that need to be explored and analyzed further.
The code of conduct in the article rightly insists on leadership and execution skills, but ends up structuring a profile that cannot be built up overnight and can only be the result of long-term front-line management and delivery roles, and that’s at the heart of the matter in my view.
Most CISOs I come across are technologists by trade and background. Nothing wrong with that: It is simply the consequence of the origins of the role in IT security and its evolution over the last three decades.
The evolution of the CISO role — and its limits
Over its three decades of existence, the cybersecurity industry has never built lateral talent management pipelines. Security analysts become security engineers; security engineers become CISOs; very little talent at the senior level comes from outside, in my experience.
Many CISOs have been hopping from job to job over the best part of that period. When I started going to information security conferences 25 years ago, most people in the room were coming from the financial sector, big pharma and oil and gas firms. Over the period, all firms have woken up to the reality of cyber threats and many of my colleagues from that period moved to other industry sectors.
Short tenures breed long-term failure
But tenures have remained low. Several articles every year place the average CISO tenure in the region at two to three years, and that matches my own field experience.
You do not achieve much in terms of transformative impact in any large firm in two to three years.
In fact, many CISOs have spent the last decade firefighting endless incidents, incapable of building any kind of longer-term vision in any job, let alone delivering it. As a prominent CISO once told me, “My first 100 days ended on day 3”…
That’s not a context where you can realistically develop the management finesse, the personal gravitas, the political acumen you are now expected to have to succeed in the role, given the visibility it has acquired at the corporate level.
That’s why many CISOs are struggling. No doubt there are “ego” issues with some (it’s hard not to feel important when you are being paid a fortune), but beyond that, the role has simply become impossible for many and that’s where the “bad behavior” comes from, in my view.
Nobody can be expected to be credible one day in front of the Board, the next in front of regulators, the next in front of pen testers, the next in front of developers, the next in front of suppliers, and so on…
It’s time to stop pretending: Those profiles don’t exist. Many CISOs are just acting up most of the time. They leave after a few years out of frustration, having achieved very little in practice.
The situation is compounded by chronic long-term execution failure in many large firms around cybersecurity.
Toxic dynamics between security leaders and executives
That’s not necessarily the CISO’s fault in itself. Large firms are by essence siloed, political and territorial in my experience. The inherently complex and cross-silo nature of cybersecurity issues comes in conflict with those dynamics, and if corporate governance structures are not in place to cut across, very little gets delivered over time in terms of transformative cybersecurity efforts, beyond low-hanging fruit or alleged quick-wins.
Nevertheless, it creates a climate in many firms between senior executives and their security team that has the potential of becoming quite toxic.
The type of bottom-up communication towards senior executives CISOs and their consultants have tried to build over the years have simply failed.
The narratives developed around “cybersecurity as an enabler” or “return on security investments” were simply trying to address, by rational means, a situation which is not rational in essence but driven by cognitive biases and deeply rooted corporate governance practices or dysfunctions.
Seeing it from the other side of the table, many senior leaders would have seen CISO after CISO coming in asking for millions before leaving a few years later, leaving things half done.
And that breeds distrust.
Distrust breeds reluctance from business leaders to invest further until something happens; the lack of resources (real or perceived) feeds the CISO’s frustration and their short tenure, which is one of the main cornerstones of this “spiral of failure” around cybersecurity.
Why splitting the role is the only way forward
Two things need to be done, in my opinion, in firms trying to break out of those dynamics.
First, the CISO role needs to be split. It is pointless to carry on pretending the role is functioning well. It has simply become too complex to cater to the people it attracts.
A formal CSO role needs to emerge at the leadership team level, encompassing all business protection aspects at large, including cybersecurity governance, but also regulatory reporting, compliance management and business resilience.
The challenge here is to make the portfolio broad enough to attract the right calibre of business leader and present a genuine career opportunity. Those topics are complex and deep enough to justify the approach and the role.
From a corporate governance perspective, this is a move any Board should support, but it should also help any leadership team to have one single individual across the table acting as a stakeholder on all those matters.
Accountabilities and personal liabilities may come into play in some industries or geographies, but the challenge is worth considering, as it would cement unequivocally the importance of business protection values at the heart of the firm’s management structure.
The role of the CISO itself can then be returned to its native technical remit, stripped of the managerial and governance layers it has accumulated organically over the years, and for which the current generation of CISOs is poorly prepared.
The role should also be refocused strongly on execution. There, I strongly agree with the last point in the code of conduct where we started from.
Rebuilding trust through delivery, not demands
The time has come for CISOs to stop complaining and get things done with the resources they have.
Showcasing execution ability, without constantly asking for more, will build or rebuild trust with senior executives.
In turn, trust will bring more resources, in particular if coupled with the unequivocal support of a CSO role, embodying business protection values at the top of the firm and able to support cybersecurity initiatives top down as well as sideways across corporate silos and geographies.
This is the type of new dynamics that will help businesses move forward, where genuine and lasting transformation is required around cybersecurity.
It will also help frustrated CISOs get more from their job and hopefully lead to longer tenures.
It may also help with recruitment into those roles by making role descriptions more realistic, as opposed to many current ones that are frankly looking for profiles that don’t exist.
A new path toward sustainable cybersecurity leadership
Firms cannot simply carry on with cybersecurity as they used to do ten or twenty years ago. Threats morph all the time and will continue to do so, but organizations have to reflect on their journey across the cybersecurity landscape over the last decades and understand where the roadblocks have been that have prevented progress. Many should be at much better cybersecurity maturity levels given the amounts invested over the years.
Making the role of the CISO work better is part of that. It is a key step, but we must leave no stone unturned, even if it means acknowledging that, in its current form, the role has run its course and needs to evolve drastically.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses