Is it Time to Reinvent the CISO?

Tuesday, March 13, 2012

Rafal Los


A colleague sent me a headline and executive summary from a Forrester "Forrsights" piece called "The new IT security buyer landscape" by Heidi Shey and Stephanie Balaouras. 

I have not yet had a chance to read the paper, but the executive summary has caught my attention when you juxtapose it against recent conversations and discussions I've had with some of you. 

The core question out there seems to be - "is this the year we reinvent the CISO?" and I'm hesitant to answer anything besides an emphatic yes.

The executive summary of the Forrester piece calls out the fact that CISOs are by and large getting absolutely no respect.  While I'm not sure I completely agree with that stance, I do believe that the CISO role is fundamentally flawed. 

The main reason I believe the role of the CISO is fundamentally flawed is because purely by the name of the role we're implying a disconnect from the business. 

Information Security implies you're looking at information and primarily focusing on that as your goal, rather than the business.  This may sound like a trivial play on words, but believe me when the board room is concerned, this matters.

If the CISO (Chief Information Security Officer) isn't the right title, then what is?  Well, Forrester suggests that maybe it's time for the CBSO (Chief Business Security Officer) to rise up from the ashes as the reinvented CISO.  I've given this a lot of thought, and I'm inclined to agree. 

The authors write "To make this transition, CISOs must demonstrate a traceable alignment to business objectives and bring greater financial and risk management discipline to security strategy and decision-making."  In a word, absolutely.

While I don't really believe the situation for CISOs is all that dire as a general statement - I know several who are struggling with even the most basic of responsibility vs. capability issues so this would ring true to them.  Going back a little over 4 years when I performed the role I can agree I had very little respect but that was, looking back on the experience, largely my own fault. 

As a young and naive security leader I often saw technical solutions first, and non-technical solutions later.  I often made the mistake of seeking out the 'shiny box' to solve some of the big problems my business was facing only to fail even with the best budget. 

Ultimately the experience of leading in such a high-pressure environment proved to me that not only was I doing it wrong, but that I had to learn to re-focus on what mattered and seek non-technical solutions to business problems first and foremost to gain any respect.

What then, are we to make of this call for a new Chief Business Security Officer (CBSO) role?  Should you change the sign on your door tomorrow morning if you're a CISO?  Is it really so bad to be a technically capable manager?  The answer to both those questions is no.  So now what?

I will admit that I am warming up to the idea of the CBSO.  Is it a replacement for a CISO?  I don't believe so, but that's going to depend on the company size.  In an enterprise environment, just like the role of the CIO and CTO have been split - the roles of the CISO and CBSO will likely be split in the future. 

I do think that ideally one person would play both roles and serve the business and the information from a single seat, but that may be unrealistic... then again it might not. 

There are a lot of very capable CISOs out there that have already earned the respect of their business leaders and a title change will do little to change that any.  Furthermore, I know of a few CISOs that a title change won't necessarily change their attitude or behavior - so that won't help them at all.

When the rubber meets the road, I think it comes down to attitude change.  Is the CISO willing to take on more business-focused responsibilities, and look at information security from a less technical solution-oriented perspective - and if so is that sustainable?  If you're looking for advice I have a little bit here for you.

First and foremost, make sure you're crystal-clear on who you're serving, and who your customer is.  You're a steward of the business and are charged with keeping its information and everything else safe and secure. 

You're also charged with expressing technical risk and debt in such a way that your peers and fellow decision makes understand clearly and can use that information to make informed decisions.  If your first inclination to any business problem is to call a vendor and start an RFI for the latest piece of hardware or software - you're already failing... stop yourself.

Next, understand you likely don't get to make decisions.  The line-of-business owners are charged with that.  They're also the only ones who can accept risk on behalf of the business.  You should be providing sound advice based on technical analysis with a sound business context, and making sure people understand what they're accepting or not.  Your job is not to make people fear technology, hackers, or the evils of not listening to the CISO.

Finally, if you really have to go that extra mile of changing your job title from CISO to CBSO, and you really believe you need to do it to gain some respect.  Do it.  Sometimes perception is reality - and having a title change may signal to your peers and leadership that you get it and are finally starting to do something about that.  Don't fool yourself though - changing a title doesn't mean you can not actually make the attitude change.

Is this the year we start seeing CBSOs?  I think it's about time. What do you think?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Leadership Business CISO Information Security Executives Skill Set IT Security CBSO
Post Rating I Like this!
Ian Tibble So the change to CBSO would be purely an image change to gain more respect? The perspective is interesting here because from what I've seen most CISOs are purely business and not about information at all, which is opposite to what is written here...but anyway I would think CISO would be a thankless role regardless of title or image.
There is "You should be providing sound advice based on technical analysis with a sound business context" which in terms of the R&Rs of a CISO nails it on the head in my opinion. Given the aforementioned phrase it's hard to dispute anything written here. Just from my own experience though, which may well be different to others' experiences, the CISO role will not garner respect from others until CISOs can lay their hands on even half decent line reporting. For example, tools / shiny boxes were the tools produce accurate output? Do Security Analysts understand ground level issues re: technical risks? I think it could be hard for CISOs to really find any confidence when they report, but they need to give answers anyway...and most seniors in board rooms can see the lack of confidence regardless of how rigorous are the efforts to hide it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.