Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Joel Fulton
Joel Fulton
Connect Directly
E-Mail vvv

Why CISOs Need a Security Reality Check

We deserve a seat at the executive table, and we'll be much better at our jobs once we take it.

There is a problem with information security today. I don't mean the skills gap or the issues surrounding data privacy. I don't mean the struggle to keep ahead of the most recent threats and vulnerabilities. I don't even mean the next General Data Protection Regulation. In fact, this problem isn't a new problem; it has always been around.

Those other conversations are vitally important, but I'm referring instead to a pervasive and insidious problem, one as important as any other security challenge the industry currently faces: we security practitioners have either lost our way or, most often, failed to understand what our roles should be in the first place.

Let me explain.

In April, I attended the RSA Conference in San Francisco, where I met with some of the most cutting-edge security innovators in the country. Leaders gathered to share war stories and best practices, as well as demo and test the newest security tools they might take home to their own organizations. But something was missing.

RSA is an exciting conference that celebrates and represents the vibrant security community — attending typically is encouraging for the future. But as much as RSA symbolizes security's best, so too it is part of the problem: flash, swag, and groupthink. In sum, there's an over-reliance on the flavor of the week rather than on sound security best practices.

Not All That Glitters Is Gold
So, why does this focus on the "latest and greatest" security technology exist? In conversations with many other chief information security officers (CISOs), two answers rise to the top: first, the average tenure of a CISO is short. Perfect data on this is hazy, but it has been reported to be as short as 17 months, though there is indication the number is rising. Second, many CISOs still don't think or act as though we've earned the "C" in our titles.

The comparatively short CISO tenure is often rooted in the individual CISOs desire for gain and fear of loss. Most CISOs have very little upward or lateral mobility within an organization. To grow in our careers, improve our salaries, and gain new experiences, it's easier to move to other organizations. Further, a typical CISO must balance between being somewhere too short of a time to take blame ("it was the last person's fault"), long enough to leave an impact (so you can have successes to point to when looking for your next job), and too long (where a security incident actually happens and you take the fall).

As a result, we often choose to set short-term goals with shallow impact and do so with more condensed time frames than other C-level peers; we often seem desperate to show progress but choose methods that prevent it. We are tempted to do the easy things first, and leave the hardest things to the future ... or the next CISO.

All too often, these take the form of the new "shiny" security solution to make ourselves look good before taking the "quit while we are ahead" approach and moving to another organization to reset the scales. It's easy and common to fall into a consumer-mindset trap, buying the latest gadget, knowing full well that if it doesn't actually improve security, at least it looks like the CISO is doing something. It is a harsh truth, but not something I think is unfair. CISOs will frequently nod in agreement when discussing this subject and agree we can do better.

How We Can Change
For many organizations, the CISO role is relatively new, and as such, many organizations remain unsure of how to incorporate the position into the enterprise's operations. At Splunk, I'm fortunate this is not the case, but I've heard time and time again that it is true for many of my peers.

As a result, we CISOs are often left feeling unsure of our place at the table. Rather than being seen as strategic advisers, too many CISOs are seen as the people who just say "no." That's in contrast with other divisions of the organization, such as sales, marketing, and product development; when security is successful, you don't hear about it.

We need to do a better job of proving our ROI to the mission of the enterprise. We need to commit to a disciplined focus on achieving excellence in the fundamentals and delivering on the hard tasks, even if they are slow to accomplish and don't lead to stage presentations. We need to do a better job understanding why and in what ways security is a critical standard business practice equal in importance and function to every other operational area of an enterprise then displaying we believe it through our actions.

Today, security is swarmed by new applications and tools that promise to make security operations easier and organizations more secure. From automation to artificial intelligence, we're in a golden age of security innovation. It's easy to get swept up in the excitement, but we are moving past the era where security needs to be flashy. Instead, let's be a little more introspective and a lot more disciplined.

My charge to all CISOs and aspiring CISOs out there: spend some time reflecting on your own security practices. Know that security is no longer seen as a sunk cost to enterprises but as a core part of business. We do deserve a seat at the table, and we'll be much better at our jobs once we take it.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are — and why they might be targeting your enterprise. Click for more information.

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/14/2018 | 12:57:43 PM
The CEO of this ongoing train wreck showed the true attitude of C-Suite to security pro issues when he testified that only one (1) IT drone unit as responsible for the hell at this firm --- by failing to apply a patch.  Wow!  Total ignorance of complex issues if their entire security protocol rests on one chap.  Incredible and from what i hear, many American firms are equally blind.  So we do NOT GET RESPECT and probably never will.  We should have such a seat --- but don't hold your breath. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.