Why Your CISO is Ineffective and What You Can do About it
May 19, 2020
Introduction
From the outside, your Chief Information Security Officer (CISO) is a highly-regarded, C-level manager with power and authority to protect your company from security threats. For many companies, unfortunately, the reality is very different. Many CISOs are frustrated and handcuffed, with only a limited ability to affect organizational security. For some, the Chief Information Security Officer position is a curse more than a reward.
CISOs cannot succeed in a vacuum. They are part of a larger security ecosystem, which must all work in concert to make the CISO and the company’s security program thrive. Here is a list of the mistakes organizations make which leave CISOs frustrated and ineffective.
Improper chain of command
If your CISO is reporting to anyone other than the CEO or CFO, then you have a broken and ineffective chain of command. Those who report to the CIO/CTO frequently find themselves in a situation of conflicting interests.
A CISO’s main job is to prevent bad things from happening, which requires quick decision making and resource deployment. The CIO/CTO’s main job is to ensure technology is functioning, sometimes at the expense of security. While the two roles do have overlapping goals, they can also have conflicting goals, and it is therefore better not having either reporting through the other.
Understaffed
CISOs are the head of a complete security team including analysts, engineers and even attorneys. And the size of the team depends, at least in part, on the size of the organization.
A starting point for team sizing is a minimum of one full-time employee on the security team per 1,000 employees. Anything less is considered understaffed, especially if your organization has a large attack surface and persistent threats.
Inadequate budget
Every organization looks to reign in costs, but security is generally not the place to cut corners. If your cybersecurity budget is only a small fraction of the overall IT budget, your Chief Information Security Officer may be set up to fail.
Unless you have a technically-adept team that uses open source and spins up its own solutions in-house, your CISO will have to go the vendor route, which comes with a high price tag. Without the proper budget, your Chief Information Security Officer is more likely to be a scapegoat than a hero.
Insufficient face time with the board
How frequently and how much time does your Chief Information Security Officer get in front of the board? If they get five minutes at the annual board meeting, then security is not a primary concern at your organization and the CISO is bound to be frustrated and handicapped.
A CISO who is given ample recognition by the board, is generally given the necessary tools to safeguard the organization and the top-down mandate that cybersecurity is important.
Not enough autonomy
To do their job properly, your CISO will occasionally have to make an unpopular decision, which is in the best interest of your organization security-wise. And it will only work if they have the authority and autonomy to make that decision.
A good litmus test of a CISO’s authority is if a call from them gets an immediate response from employees. That Chief Information Security Officer probably has the power they need to get their job done. On the other hand, when she/he is forced to govern by committee, they’ll have a hard time pushing security initiatives through.
Conclusion
CISOs are often frustrated, overworked, overstressed, and lack the tools and influence they need to succeed. As more companies understand the need for a strong cybersecurity infrastructure and place it at the forefront of their budget and management structure, the role of a Chief Information Security Officer can move from that of scapegoat to hero. A distinction that could be worth millions.
If you’re just starting out on your security journey, a Chief Information Security Officer might not be the right hire. You need to start to embed security into the team, and you need to address all aspects of your security program, including risk, threats, vulnerabilities and operational activities. CDG’s vCISO services, which can help organizations that are looking to get a full security team embedded with their current team for less than the cost of a CISO, is an option for getting your program ready for this position without the challenges mentioned above.
