Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Joel Fulton
Joel Fulton
Connect Directly
E-Mail vvv

Why CISOs Need a Security Reality Check

We deserve a seat at the executive table, and we'll be much better at our jobs once we take it.

There is a problem with information security today. I don't mean the skills gap or the issues surrounding data privacy. I don't mean the struggle to keep ahead of the most recent threats and vulnerabilities. I don't even mean the next General Data Protection Regulation. In fact, this problem isn't a new problem; it has always been around.

Those other conversations are vitally important, but I'm referring instead to a pervasive and insidious problem, one as important as any other security challenge the industry currently faces: we security practitioners have either lost our way or, most often, failed to understand what our roles should be in the first place.

Let me explain.

In April, I attended the RSA Conference in San Francisco, where I met with some of the most cutting-edge security innovators in the country. Leaders gathered to share war stories and best practices, as well as demo and test the newest security tools they might take home to their own organizations. But something was missing.

RSA is an exciting conference that celebrates and represents the vibrant security community — attending typically is encouraging for the future. But as much as RSA symbolizes security's best, so too it is part of the problem: flash, swag, and groupthink. In sum, there's an over-reliance on the flavor of the week rather than on sound security best practices.

Not All That Glitters Is Gold
So, why does this focus on the "latest and greatest" security technology exist? In conversations with many other chief information security officers (CISOs), two answers rise to the top: first, the average tenure of a CISO is short. Perfect data on this is hazy, but it has been reported to be as short as 17 months, though there is indication the number is rising. Second, many CISOs still don't think or act as though we've earned the "C" in our titles.

The comparatively short CISO tenure is often rooted in the individual CISOs desire for gain and fear of loss. Most CISOs have very little upward or lateral mobility within an organization. To grow in our careers, improve our salaries, and gain new experiences, it's easier to move to other organizations. Further, a typical CISO must balance between being somewhere too short of a time to take blame ("it was the last person's fault"), long enough to leave an impact (so you can have successes to point to when looking for your next job), and too long (where a security incident actually happens and you take the fall).

As a result, we often choose to set short-term goals with shallow impact and do so with more condensed time frames than other C-level peers; we often seem desperate to show progress but choose methods that prevent it. We are tempted to do the easy things first, and leave the hardest things to the future ... or the next CISO.

All too often, these take the form of the new "shiny" security solution to make ourselves look good before taking the "quit while we are ahead" approach and moving to another organization to reset the scales. It's easy and common to fall into a consumer-mindset trap, buying the latest gadget, knowing full well that if it doesn't actually improve security, at least it looks like the CISO is doing something. It is a harsh truth, but not something I think is unfair. CISOs will frequently nod in agreement when discussing this subject and agree we can do better.

How We Can Change
For many organizations, the CISO role is relatively new, and as such, many organizations remain unsure of how to incorporate the position into the enterprise's operations. At Splunk, I'm fortunate this is not the case, but I've heard time and time again that it is true for many of my peers.

As a result, we CISOs are often left feeling unsure of our place at the table. Rather than being seen as strategic advisers, too many CISOs are seen as the people who just say "no." That's in contrast with other divisions of the organization, such as sales, marketing, and product development; when security is successful, you don't hear about it.

We need to do a better job of proving our ROI to the mission of the enterprise. We need to commit to a disciplined focus on achieving excellence in the fundamentals and delivering on the hard tasks, even if they are slow to accomplish and don't lead to stage presentations. We need to do a better job understanding why and in what ways security is a critical standard business practice equal in importance and function to every other operational area of an enterprise then displaying we believe it through our actions.

Today, security is swarmed by new applications and tools that promise to make security operations easier and organizations more secure. From automation to artificial intelligence, we're in a golden age of security innovation. It's easy to get swept up in the excitement, but we are moving past the era where security needs to be flashy. Instead, let's be a little more introspective and a lot more disciplined.

My charge to all CISOs and aspiring CISOs out there: spend some time reflecting on your own security practices. Know that security is no longer seen as a sunk cost to enterprises but as a core part of business. We do deserve a seat at the table, and we'll be much better at our jobs once we take it.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are — and why they might be targeting your enterprise. Click for more information.

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/14/2018 | 12:57:43 PM
The CEO of this ongoing train wreck showed the true attitude of C-Suite to security pro issues when he testified that only one (1) IT drone unit as responsible for the hell at this firm --- by failing to apply a patch.  Wow!  Total ignorance of complex issues if their entire security protocol rests on one chap.  Incredible and from what i hear, many American firms are equally blind.  So we do NOT GET RESPECT and probably never will.  We should have such a seat --- but don't hold your breath. 
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read ...
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/t...
PUBLISHED: 2021-05-14
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is...
PUBLISHED: 2021-05-14
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application tha...
PUBLISHED: 2021-05-14
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream...