The search for a scapegoat is the easiest of all hunting expeditions, according to past President Dwight D. Eisenhower. If that’s the case, Chief Information Security Officers (CISO) must be worried that they will soon be stuffed and mounted in board rooms around the country.
Since the Target breach, cyber security has been thrust into the spotlight, with media coverage of the next major data breach dominating headlines on a near-weekly basis. The heightened visibility is creating speculation in the media and beyond about what enterprises, governments, and security experts are doing to fight cybercrime.
In an effort to respond, boards have elevated the CISO, a once obscure position, to the C-suite. But while the honorific is there, the responsibilities are not. A ThreatTrack-sponsored survey of 203 C-level executives recently found that the majority of them keep CISOs at a distance, give them limited responsibilities, and ultimately believe that they exist to serve as a scapegoat should a data breach occur. Respondents made it clear that CISOs are seldom given power over the security budget, or in making strategic IT decisions. In short, they exist to accept blame, but have no power to effect change.
This is a dilemma, one that goes beyond internal power struggles and instead represents a major problem for enterprise security. Many CISOs have not been put into a position to succeed, and by virtue of that, enterprise cyber security is not getting any better. The problem will continue until the CISO earns a seat at the table. It will take cooperation and hard work on the part of CISOs and their peers, but it needs to happen, and soon.
One of the major issues affecting CISOs is that their role is poorly defined. CISOs often lack the power to spend or implement policy, with those responsibilities resting elsewhere in organizations. Even something as simple as organizational structure is complicated for CISOs, with research showing that different organizations have them report to the CEO directly, the CIO, or even the CFO. With little decision-making power or structure, it isn’t hard to understand why C-level executives are skeptical of CISOs. There’s a good chance they don’t understand why the CISO is there at all.
While a defined role would help the CISO in his or her mission, there is another fine line that has to be walked -- the balance between business needs and cyber security policy. The national epidemic of data breaches has forced the hand of business leaders, making cyber security a top priority. But, it is still unclear who wins a debate in the enterprise when good cyber security policy gets in the way of efficient business processes. Given the lack of power in most CISOs’ hands, the answer might not be good for those who would like their data protected. That’s a problem.
Now the good news
All hope is not lost for CISOs. They have the ability to change how they are perceived and build positive reputations in the enterprise. And it starts with learning a new language – the language of the business, not of cyber security. The CISO’s role in the boardroom is to educate executives about risk. To gain credibility and change perceptions, CISOs need to stop discussing security in a vacuum and start explaining a technical problem in terms of what it means to the business. By putting cyber security in terms the rest of the C-suite understands, CISOs can begin to exert real influence and gain support.
More importantly, CISOs need to integrate security into the enterprise by explaining its value to the business. At the highest level, security is not about malware and breaches, it is about risk management.
CISOs should explain why a cyber security policy is necessary in terms of what is at stake for the business, and should be prepared to identify a return on investment when they make a large expenditure. Ultimately, good security practice is a positive for businesses, even a potential competitive advantage for enterprises that handle sensitive data. CISOs need to frame cyber security policy in that light, rather than as being a roadblock. The days of a “compliance” mindset for security are over, and CISOs will benefit greatly by taking a proactive, risk-based approach.
Additionally, CISOs can gain respect in the enterprise by proving their worth through metrics and goals. If demand is increased by 20%, the CMO gets the credit. CISOs need to define what success is through measurable metrics, and report on them on a regular basis. In the past, the CISO has been viewed as a spender and a scapegoat. CISOs need to defend themselves and their work by framing their successes in business terms (and not just a time of crisis), and explaining that good cyber security practice protects the bottom line.
Their position is not enviable, and their battle is uphill, but CISOs need to fight. With breaches discovered on a daily basis, there are few who would argue that enterprise security is not broken. But, only a small group of experts is uniquely qualified to fix it. CISOs can take on that role. They just have to win over their peers first. Enterprise security depends on it.