Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

11:59 AM
Julian Waits
Julian Waits
Connect Directly
E-Mail vvv

Once More Into the Breach, Dear CISO

The sad truth about CISOs is that they are seldom given power over security budgets or strategic IT decisions. To many C-level execs they exist to accept blame and are given little authority to effect change.

The search for a scapegoat is the easiest of all hunting expeditions, according to past President Dwight D. Eisenhower. If that’s the case, Chief Information Security Officers (CISO) must be worried that they will soon be stuffed and mounted in board rooms around the country.

Since the Target breach, cyber security has been thrust into the spotlight, with media coverage of the next major data breach dominating headlines on a near-weekly basis. The heightened visibility is creating speculation in the media and beyond about what enterprises, governments, and security experts are doing to fight cybercrime.

In an effort to respond, boards have elevated the CISO, a once obscure position, to the C-suite. But while the honorific is there, the responsibilities are not. A ThreatTrack-sponsored survey of 203 C-level executives recently found that the majority of them keep CISOs at a distance, give them limited responsibilities, and ultimately believe that they exist to serve as a scapegoat should a data breach occur. Respondents made it clear that CISOs are seldom given power over the security budget, or in making strategic IT decisions. In short, they exist to accept blame, but have no power to effect change.

Are CISOs merely a scapegoat for the C-suite? (Painting by William Holman Hunt [Public domain], via Wikimedia Commons)
Are CISOs merely a scapegoat for the C-suite?
(Painting by William Holman Hunt [Public domain], via Wikimedia Commons)

This is a dilemma, one that goes beyond internal power struggles and instead represents a major problem for enterprise security. Many CISOs have not been put into a position to succeed, and by virtue of that, enterprise cyber security is not getting any better. The problem will continue until the CISO earns a seat at the table. It will take cooperation and hard work on the part of CISOs and their peers, but it needs to happen, and soon.

One of the major issues affecting CISOs is that their role is poorly defined. CISOs often lack the power to spend or implement policy, with those responsibilities resting elsewhere in organizations. Even something as simple as organizational structure is complicated for CISOs, with research showing that different organizations have them report to the CEO directly, the CIO, or even the CFO. With little decision-making power or structure, it isn’t hard to understand why C-level executives are skeptical of CISOs. There’s a good chance they don’t understand why the CISO is there at all.

While a defined role would help the CISO in his or her mission, there is another fine line that has to be walked -- the balance between business needs and cyber security policy. The national epidemic of data breaches has forced the hand of business leaders, making cyber security a top priority. But, it is still unclear who wins a debate in the enterprise when good cyber security policy gets in the way of efficient business processes. Given the lack of power in most CISOs’ hands, the answer might not be good for those who would like their data protected. That’s a problem.

Now the good news
All hope is not lost for CISOs. They have the ability to change how they are perceived and build positive reputations in the enterprise. And it starts with learning a new language – the language of the business, not of cyber security. The CISO’s role in the boardroom is to educate executives about risk. To gain credibility and change perceptions, CISOs need to stop discussing security in a vacuum and start explaining a technical problem in terms of what it means to the business. By putting cyber security in terms the rest of the C-suite understands, CISOs can begin to exert real influence and gain support.

More importantly, CISOs need to integrate security into the enterprise by explaining its value to the business. At the highest level, security is not about malware and breaches, it is about risk management.

CISOs should explain why a cyber security policy is necessary in terms of what is at stake for the business, and should be prepared to identify a return on investment when they make a large expenditure. Ultimately, good security practice is a positive for businesses, even a potential competitive advantage for enterprises that handle sensitive data. CISOs need to frame cyber security policy in that light, rather than as being a roadblock. The days of a “compliance” mindset for security are over, and CISOs will benefit greatly by taking a proactive, risk-based approach.

Additionally, CISOs can gain respect in the enterprise by proving their worth through metrics and goals. If demand is increased by 20%, the CMO gets the credit. CISOs need to define what success is through measurable metrics, and report on them on a regular basis. In the past, the CISO has been viewed as a spender and a scapegoat. CISOs need to defend themselves and their work by framing their successes in business terms (and not just a time of crisis), and explaining that good cyber security practice protects the bottom line.

Their position is not enviable, and their battle is uphill, but CISOs need to fight. With breaches discovered on a daily basis, there are few who would argue that enterprise security is not broken. But, only a small group of experts is uniquely qualified to fix it. CISOs can take on that role. They just have to win over their peers first. Enterprise security depends on it.

Julian Waits serves as President and Chief Executive Officer for ThreatTrack Security, guiding the company's growth as it traverses the enterprise security market with threat analysis, awareness, and defense solutions that combat advanced persistent threats (APTs), targeted ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Strategist
11/6/2014 | 6:05:30 PM
Not metrics and goals
CISOs don't need more metrics and goals layered on their existing metrics and goals. They need a vision and a mission and they need people to execute. If a CISO earns a $670,000 yearly salary, up from $400,000 two years ago -- then they already have a seat at the board. What they need now is to hire people with similarly-structured salaries to execute their vision.

The vision is simple: create a cyber analytical model based on something like the fusion center, construct a framework similar to the Cyber Operations Maturity Framework, and build a platform that can deliver the results. Any technology piece such as SIEM, Cyber Threat Intelligence, Mobile Device Management, or NGFW needs to be balanced against the model and the framework -- and it must integrate with the analytical platform. Typically, an analytical platform consists of exploratory data analysis, exploratory factor analysis, and link analysis -- perhaps graded on a reference-class forecast or similar probability distribution. If you don't know what I just said, perhaps you should pick up the book, "Measuring and Managing Information Risk", which basically explains an approachable, analytical risk model to the uninitiated.

The average lifetime of a CISO is still 2 years, but their salaries are doubling every 2 years. The rest of us information security professionals have seen stagnant salaries for 20 years -- ever since we existed. If the CISOs won't change the game, then leaders will rise from the trenches. Lead, follow, or get out of the way!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/7/2014 | 10:05:18 AM
Re: Not metrics and goals
Great point about getting the right team in place to execute a cybersecurity plan @andregironda! What does that look like in your view and how would it differ from the organizational structure in the typical SOC?
User Rank: Strategist
11/7/2014 | 10:21:29 AM
Re: Not metrics and goals

Please check out the Cyber Operations Maturity Framework. The basic model is the fusion center, originated at EUCOM -- fas dot org/irp/agency/dod/eucom/jac/

Typical SOCs are operating from a picture that emphasizes timelines and locality analysis, but without extensive exploratory or link analyses. They operate with indicators, but without indications analysis and without warning analysis (I&W) -- for example, I never see STIX that includes warning intelligence or attack indicators, only IoCs. Typical SOCs also separate the malware reversing process from the threat intelligence process too much... I mean, did you know that you can embed MAEC into STIX?

The primary issue for information security programs is lack of a formalized risk language and risk model based on costs to the business. For this, I could recommend FAIR as a starting point -- the book "Measuring and Managing Information Risk" (from the authors of FAIR) is timely.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.