CISO 2.0: Enterprise Umpire or Wide Receiver?
There’s a pretty well-known characteristic among umpires. Just about any of them will tell you that a good day of work for them is if nobody notices that they existed. For the most part, that’s the truth. We notice when they blow a call, but don’t give them any thought when they’re doing their job successfully.
For years that’s been the role of the Chief Information Security Officer (CISO). The primary goal of the security department has been to keep the organization out of the newspapers. As long as no data was leaking and no regulators were barking, the CISO could operate as a cost-center in relative obscurity. Much like an umpire, the CISO was unnoticed when he was most successful. We’ll call this CISO 1.0.
The opposite end of the sports spectrum is the wide receiver. This is a position where success is defined by being in the spotlight. If this guy isn’t catching touchdowns and actively adding value to the organization, he isn’t seen as a success. His position thrives on being in the action and adding value to the team.
At this year’s RSA Conference, I attended a session where one of the speakers (a highly experienced security leader for whom I have great respect) made a comment that CISOs want to be noticed “not at all.” I don’t know what percentage of CISOs still operate under that mindset, but I believe it’s past time for a change. Security leaders have been umpires for too long, and it’s time to start flashing a bit of wide receiver.
Areas that do not provide significant organizational value are eliminated or commoditized
The nature of the business world is to invest our limited resources in areas that provide value. Areas that are not providing significant organizational value should either be eliminated or commoditized (to pay the minimum cost possible while maintaining compliance). In security, it is our challenge to demonstrate to the business that the money they invest in us goes further than just keeping us out of the newspaper. Security can deliver tangible benefits out to the business.
An effective security program can reduce the costs of creating products. By maturing our security program we can seamlessly implement security earlier into our projects. By implementing earlier we avoid the painful, time consuming rework that comes with needing to bolt-on security after the fact. Effective security can reduce the production impact of client penetration tests and regulatory changes by working their security requirements into the products the first time.
World class security is a key differentiator in many industries, including financial, government, healthcare and large public organizations. A mature security program is essential for successfully navigating processes like the Department of Defense’s Certification and Accreditation. If your organization provides services to these types of high-demand clients, security can be the difference between getting the sale and losing the business.
The number one value: real perspective on the organization’s data risk. Getting a real measure of an organization’s cyber risk is extremely difficult. Counting on auditors (internal or external) is never going to give the entire picture. But a security department with relationships throughout the organization, with boots on the ground, and personnel with intricate experience working with the technology… that kind of team really has all the tools necessary to tease out the information security posture of an organization. A mature security leader can utilize those resources to provide higher quality risk measures that can allow the organization to see (and avoid) many disasters before they strike.
CISO 1.0 still exists in many organizations, and still will exist for as long as I can foresee. The organizations with those leaders will continue to reduce their security costs, and continue changing the security function into a compliance checkbox designed just to keep regulators, clients and auditors happy.
CISO 2.0 is a growing breed, and looks to break out of the reactive, compliance-driven mindset. This CISO wants to bring new value into the board-room, expanding the ways security improves the positioning of the company. This CISO will still be held responsible for keeping the company out of the newspaper, but can also be known for reducing costs, increasing sales, and helping shape organizational strategy.