{"id":4133,"date":"2025-07-28T07:00:00","date_gmt":"2025-07-28T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4133"},"modified":"2025-07-28T07:00:00","modified_gmt":"2025-07-28T07:00:00","slug":"the-cisos-challenge-getting-colleagues-to-understand-what-you-do","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4133","title":{"rendered":"The CISO\u2019s challenge: Getting colleagues to understand what you do"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The first-ever CISO, the late Steve Katz<\/a>, earned<\/a> the title chief information security officer at Citicorp in 1995 after Russian hackers stole more than $10 million from the financial institution. Thirty years later, this relative late-comer leadership role remains largely misunderstood \u2014 and subject to greater responsibility volatility than more traditional and established leadership roles such at CFO.<\/p>\n

It is no surprise, then, that many employees and even executives do not fully grasp what their organizations\u2019 CISOs do \u2014\u00a0a problem many CISOs run up against in fulfilling their primary responsibilities for the enterprise.<\/p>\n

\u201cA CISO does everything related to cybersecurity that nobody else in the company wants to do,\u201d Andy Ellis<\/a>, CISO, Partner at YL Ventures, and advisor to cybersecurity startups, tells CSO.<\/p>\n

\u201cThat sounds trite, but that is the elevator pitch for the longer thing, which is that a CISO is the other half of the CIO. CIOs basically stopped doing innovation and governance in 2000 and became cost cutters,\u201d Ellis says. \u201cSomebody had to care about cybersecurity because nobody else did. And so, the CISO\u2019s job has been to sort of pick up the cybersecurity pieces that are parts of other people\u2019s jobs.\u201d<\/p>\n

The haphazard evolution of the job highlights the problems CISOs face when colleagues and regulators have a poor grasp of what they do. This lack of understanding can lead to misunderstandings, resource misallocation, and even potential legal liability, as evidenced by what many see as the SEC\u2019s overreaching inclusion<\/a> of SolarWinds CISO Tim Brown in a years-long and bruising legal battle based on a misinterpretation of his duties.<\/p>\n

Driving the confusion are the blurred and variable parameters of the job. This lack of clarity is compounded by the fact that most CISOs continue to operate with less-than-desired decision-making authority<\/a> despite their heavy duties and executive-level sounding titles. Nevertheless, experts point to ways that CISOs can better define their jobs and communicate them both inside the organization and with external stakeholders.<\/p>\n

So, what do CISOs do?<\/h2>\n

One of the fundamental problems in defining the CISO role<\/a> is that it varies from organization to organization, and where the organization stands in terms of cybersecurity maturity. Moreover, the nature of the job can change over time.<\/p>\n

In a less mature organization, CISOs \u201ctend to be pretty technical,\u201d Bethany DeLude<\/a>, CISO emeritus and former CISO of the Carlyle Group, tells CSO. \u201cThey might be the strongest security engineer in the organization. This type of CISO is like, \u2018Let me just put out fires. Let me make sure we\u2019re not hacked. Let me get our house in order.\u201d<\/p>\n

In a mature organization, on the other hand, the CISO is \u201can executive leader who is focused on strategy, business relationships, brand-building, thinking of how cyber creates value for the organization,\u201d DeLude says. This kind of CISO thinks about \u201chow do I create value for this organization through my subject matter expertise? That\u2019s why I think there\u2019s blurriness. Moreover, the right CISO for the same organization can change over time.\u201d<\/p>\n

The changing nature of the CISO\u2019s role, along with the shifts in threats and risk management strategies, means that pinning down a CISO\u2019s responsibilities is a virtual impossibility. \u201cIt\u2019s an evolving situation, and every year a CISO\u2019s role has to be kind of re-analyzed to figure out, okay, what do I need to do,\u201d Dale \u201cDr. Z\u201d Zabriskie<\/a>, field CISO of Cohesity, tells CSO.<\/p>\n

He adds, \u201cWe\u2019ve gone through that time where the board or the CEO or the company points at the CISO and says, \u2018It\u2019s your job to protect us.\u2019 We\u2019ve moved away from that to where the best thing a CISO can do is to be connected at every level of the business to understand from each department leader and demand from that leader what data, what systems they are responsible for. Then the CISO can determine the best course of action based on acceptable risk.\u201d<\/p>\n

What this means to some experts is that CISOs need to feel their way around the organization before defining their jobs more concretely. \u201cIt\u2019s the CISO\u2019s responsibility to finalize their own job description, essentially, and set expectations based upon the risks and how that aligns with bits of strategy and the actual culture that exists,\u201d Susan Chiang<\/a>, CISO of Headway, tells CSO.<\/p>\n

Chiang thinks the great leveler across all organizations for CISOs is that ultimately \u201cthe mission is the same, which is \u2014 whether you\u2019re at a company, government, or nonprofit \u2014 to reduce risk, especially on traditional security.\u201d<\/p>\n

Even though it might not be possible to develop a constant and unchanging definition of what a CISO does, it would help smooth relationships across the organization if a standard definition existed. \u201cIt would reduce the friction if there was clarity on exactly what the CISO needed to do and where the boundaries are,\u201d Omar Khawaja<\/a>, field CISO and VP of security at Databricks\u00a0and faculty member at Carnegie Mellon University, tells CSO.<\/p>\n

\u2018Chief\u2019 in name only adds to the confusion<\/h2>\n

Like other executive-sounding titles, such as chief marketing officer, chief revenue officer, chief technology officer, and others, CISOs sound like they should be officers of the company with broad decision-making capabilities, but in most cases, they lack any actual power<\/a>.<\/p>\n

\u201cThere are some CISOs that sort of rise to what it means to be an officer of the company, and they\u2019re then treated as such, regardless of their reporting relationships<\/a>,\u201d Khawaja says.<\/p>\n

\u201cI\u2019ve seen CISOs that are four levels down from the CEO, but they are seen as a first-class member of the executive suite,\u201d he adds. \u201cI have seen CISOs who are a direct report of the CEO, and they have almost no influence and no authority. So, it has very little to do with the actual reporting relationship and the organizational structure. It has much more to do with the ethos and the behavior of the individual themselves and the quality of the relationships that they make with the CEO, with the board, and with their peers.\u201d<\/p>\n

Ellis says, \u201cThere\u2019s been this explosion of C-level titles that are not C-level roles in companies. The CSO [chief security officer] was the first of them. I think the CIO and the CMO were the last new ones to become part of the C-suite, and almost everybody since then is not part of the C-suite. They\u2019re always a step down.\u201d<\/p>\n

But Ellis thinks this lesser role that CISOs occupy will not last for long<\/a>, given how vital cybersecurity is. \u201cI think we\u2019re more likely to see an evolution of the CISO back into a CIO- or CTO-type role. If you look at what a CIO does today outside of the Fortune 500, they\u2019re a procurement officer for commodity hardware and SaaS services. That\u2019s not a C-level position. But that combined with the CISO<\/a> is.\u201d<\/p>\n

Headway\u2019s Chiang believes that even if CISOs don\u2019t merge back into CIOs, they\u2019re likely to attain more power<\/a>. \u201cWe are moving to more standards and norms around what a CISO does, which in some ways is a natural follow up to what CISOs now need to ensure, for example, being a named officer by the board and therefore having the same level of liability coverage as a CFO, for example, in some of these risk decisions.\u201d<\/p>\n

How CISOs can communicate what they do<\/h2>\n

No matter where the organization is on the cybersecurity maturity curve, or how little executive power a CISO truly has, experts say there are ways to communicate the CISO\u2019s duties so that internal or external stakeholders have a clearer idea of what they do.<\/p>\n

Very few standard documents exist that can help with this task. Cybersecurity board advisor Rafeeq Rehman<\/a> produces each year a \u201cCISO MindMap<\/a>,\u201d which is a visual achievement that crystallizes what CISOs do. But it is intricate, displaying hundreds of duties that any given CISO might undertake.<\/p>\n

\u201cI wouldn\u2019t share that mind map with my peers,\u201d Chiang says. \u201cIt would overwhelm them.\u201d<\/p>\n

Ellis has produced The Idealized CISO Job Description<\/a>, which is all-encompassing in describing the complex range of CISO job responsibilities. But, few CISOs have ever carried this level of duties. Ellis says he knows of only 100 or so CISOs who have met the idealized criteria, and \u201cthey\u2019re mostly all in the CISO Hall of Fame<\/a> at this point,\u201d he says.<\/p>\n

Instead of sharing these complex and specialized documents, Chiang says CISOs should \u201clook for ways to tell the story from our shared customer\u2019s perspective,\u201d to paint a picture of what they do in terms of providing access or reducing risk, for example. \u201cThat moves us away from maybe thinking the CISO is a decision-maker, which they are almost never. They\u2019re advisors and helpers and enablers, and show up when things go wrong.\u201d<\/p>\n

\u201cThe first thing a CISO has to do is learn to speak the language of the person to whom they\u2019re speaking and to determine what they are measured on, what is best for them.\u201d Dr. Z says. \u201cDetermine what\u2019s important to this person or this department or this office, and how you can show your relevance to that.\u201d<\/p>\n

Ellis thinks it\u2019s essential for CISOs to show their work to customers in person. \u201cYou want everything to be in person,\u201d he says. \u201cYou want to have conversations with people, and they should see the work that you do. You should never tell them, \u2018We did this thing.\u2019 They should see what you do and really what you help other people to do.\u201d<\/p>\n

Moreover, in communicating throughout the organization, CISOs\u2019 messages will carry greater weight and be more memorable if they give credit to others. \u201cMention what somebody else in the company did that protected the company,\u201d Ellis says. \u201cThis engineering team just built us an amazing multifactor authentication system that is seamless. These are the people whom you should be thanking. Everybody will want to work with you \u2014 the only one who\u2019s thanking other people.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The first-ever CISO, the late Steve Katz, earned the title chief information security officer at Citicorp in 1995 after Russian hackers stole more than $10 million from the financial institution. Thirty years later, this relative late-comer leadership role remains largely misunderstood \u2014 and subject to greater responsibility volatility than more traditional and established leadership roles […]<\/p>\n","protected":false},"author":0,"featured_media":4121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4133"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4133"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4121"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}