Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

8/28/2020
10:00 AM
Brian Ahern
Brian Ahern
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Redefining What CISO Success Looks Like

Key to this new definition is the principle that security programs are designed to minimize business risk, not to achieve 100% no-risk.

A recent study from the Enterprise Strategy Group found that the average CISO tenure is two to four years. It would seem there are a wide variety of contributing factors regarding why many security professionals last less than 1,000 days in the role, among them the fact that the role and expectations are different from company to company. Many organizations face an ever-evolving security and risk strategy, which can change key competencies required for success. Over more than a decade in the security industry, I found this gray area leads to a lot of ambiguity around what success in the CISO role looks like and often causes misunderstandings, false expectations, and burnout due to not just security challenges but a lack of organizational clarity and expectations as well.

Publicity around major data breaches and compliance requirements, along with ongoing discussions of privacy and data rights, have opened the eyes of the C-suite and boards, highlighting the critical nature of the CISO role. Many executives and boards view cybersecurity investment as an insurance premium aimed at avoiding data breaches, and often are highly reactive to the headlines about the latest name-brand exploits or intelligence community leaks. This leads to executives and boards asking the CISO to ensure they're protected against these highly publicized breaches, which represent less than 1% of common cyber threats, while lacking appreciation for the efforts and investments necessary to address the more likely cyberattack scenarios companies face. 

Related Content:

How CISOs Can Play a New Role in Defining the Future of Work

10 Resume and Interview Tips from Security Pros

This lack of clarity has led to misperceptions and inconsistencies around the CISO role. CISO job descriptions vary greatly across the industry, depending on the size of the company, nature of the business, whether privately held or publicly traded, etc. It should not be surprising that clarity of the role of a successful CISO remains one of the greatest corporate mysteries. In some instances, CISOs own everything from enterprise risk, compliance and service production to deployment, all while having to do so with a commonly undersized staff and budget, however extraordinary the business expectations.

It is unrealistic to expect CISOs to be omnipotent cybersecurity demigods. They should be expected to help shape their companies' security investment priorities aligning with corporate-defined objectives, but within reason, given organizational support resources and operating budgets. The reality is that properly defined, resourced, and executed security programs are designed to minimize business risk, not achieve 100% no-risk. In addition to responsibility for managing corporate security and compliance, many CISOs also find themselves playing a role in business development, customer acquisition, customer retention, employee development, and employee retention. 

Organizational development for security awareness and career development is a major, underrated aspect of being a CISO. CISOs have as much pressure on talent retention and talent development as other business leaders. Cybersecurity skills are in high demand, so it's important that security leaders work closely with their people to ensure talent development, which enhances talent retention. In already resource- and budget-constrained organizations, loss of your security talent makes achieving defined business objectives even more difficult and taxing on the CISO.

Is it realistic for the modern-day CISO to balance the heavy demands placed on the role? Those often come without a clear alignment with executives and boards on risk, a lack of sufficient resources and budget, and additional business pressures that go beyond risk mitigation. Here, in my opinion, lies the major contributing factors to CISO burnout.

At the end of the day, it's important that the security community and business leaders work together to actively shape and ensure success in the CISO role. This starts with the business investing the time in understanding the security requirements and then agreeing upon business risk tolerance. Once risk tolerance is defined, then it is critical to resource and fund the security program, taking into account the ancillary pressures on the CISO role. The goal is not only to reduce business risk, but to do so while eliminating the risk of burnout of the CISO, an executive position that is becoming increasingly difficult to both recruit and retain.

As Threat Stack's Chairman & CEO, Brian is passionate about building disruptive technology companies, fueled by innovation and high-performing teams. A seasoned technology executive with over two decades of experience, Brian joined Threat Stack in 2015 from Industrial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...