The key challenges of the transformational CISO are not technological, but managerial.
There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their tenure, the levels of stress they’re under, and the burnout epidemy they’re suffering.
But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you’d quickly realise that there is a fair amount of creative writing involved in a lot that’s being posted.
It is easy to write about “the CISO” thinking this is a fully established C-level role and one of the pillars of corporate governance. In practice, this is far from being the case and the harsh reality is that the role itself is far from mature, in spite of having been in existence – in some shape or another – for about two decades.
The job title – to start with – is far from universal (and has never been). A large number of variants are in use, and behind those, different role descriptions reflecting the perceptions and priorities of each organisation, which in turn find themselves reflected in the reporting line of the function.
Compounded by the natural differences between industry sectors and the security maturity levels of each company, it creates a myriad of roles, which – in the end – can have very little in common.
The actual reality of the role of a “CISO” reporting to a board member in a mining firm, will have very little to do with the role of a “CISO” reporting 2 levels below the CIO in a retail organisation. Even if good practices are the same – and have been for a long time, and still protect – putting them in place in each of those situations will have very different meanings.
So talking about “the CISO” is often a dangerous shortcut when trying to address the functional or operational aspects of the role.
Where there are commonalities, is around the softer aspects of the role.
First of all, if an organisation is large enough to frame the role in CISO terms, it is likely the CISO will have a team below them. This is where many articles on the theme often go wrong: They talk about “the CISO” as if he or she was a one-man (woman) band, directly involved in the delivery of all aspects of their cyber security practice. That’s rarely the case. In most organisations, the CISO is effectively a leader, structuring, organising, delegating and orchestrating work across their team and across the firm – and across the multiple third-parties involved in delivering or supporting the business.
The CISO should also be expected to be able to listen to business leaders across corporate silos, understand their priorities, and adjust security practices to their demands and expectations.
It is simply absurd to pretend that the CISO should have those managerial skills, and – at the same time – expect them to constantly put out burning fires, and be credible all the time and all the way across all technical stacks and across all silos of a large corporate. These unicorn profiles simply don’t exist.
What is not absurd is to expect the CISO to structure and lead a team which can be credible on all those fronts – and firefight, and bring along long-term change. That’s the only way it can work in large firms.
Senior executives also need to understand the complexities involved in leading true security transformation across large corporates, and accept the gaps which may exist at times between knowing what needs to be done to protect the business, saying it should be done and making sure it gets done, for good and across the real breadth and depth of the enterprise.
In bridging those gaps, lie the real challenges of the role of the transformational CISO. Those are not technological challenges, but managerial, political and governance challenges.
To be successful, the transformational CISO needs to be – first and foremost – a leader with a good business brain. Not just a firefighting technologist.