A decade of firefighting has taken its toll on the CISO profession
The role of the chief information security officer (CISO) is changing. If that was ever the case, it can no longer be seen JUST as a technical role.
In some industries, it is being challenged by the world-wide tightening of regulations around privacy and the emergence of DPOs and other related roles.
Everywhere, it is being challenged by the non-stop avalanche of cyber-attacks and data breaches of the past decade, which have raised the visibility of cyber security to Board level, but at the same time have also prevented many CISOs from getting out of fire-fighting mode.
This is the crux of the matter.
Senior executives are increasingly endorsing a “when-not-if” paradigm around cyber-attacks and are demanding fundamental change and action beyond day-to-day fire-fighting, often in exchange of very significant investments around security.
They are expecting the CISO to lead such programmes of work, but many CISOs have never been recruited or trained for such a challenge, under such level of scrutiny.
Very often, it is about addressing problems rooted in a decade of lip service or under investment around security, and it involves a true transformation of many business practices across the firm.
You don’t become a transformational leader overnight, in particular if your background, your skills and your core interests are centred around the more technical aspects of cyber security. Nothing wrong with that, and while the focus was on fire-fighting cyber-attacks all the time, those would have been valuable qualities.
But as the focus shifts towards transformation and execution, the ability to influence across silos and to understand the true nature of the business and the more transversal aspects of security, becomes paramount. Those are rarely attributes of a native technologist, and they are not attributes you develop through the constant fire-fighting of technical problems.
So parallel to the “lost decade” of cyber security and reflecting it, there is also a lost decade for the CISO profession. A lost decade during which many have hopped from job to job, collecting higher and higher salaries for their technical firefighting skills, but without encountering the terrain in which to develop true enterprise-level leadership and transformational skills.
As senior executives turn a page and we enter – possibly – an execution-dominated decade around cyber security, many CISOs are just not equipped to lead.
Let’s say this one more time: Just throwing money at cyber security problems won’t make them disappear overnight. Remediating issues rooted in a decade of adverse prioritisation by the business will cost money, but it will also require time and in many cases, relentless drive to change mindsets.
Who should do this, if the CISO can’t? … There are broadly 2 types of options:
Organisational models may need to evolve to allow a broader CSO type of role to emerge in large firms, encompassing security at large, continuity and privacy, with the CISO role retreating back to its technical roots. This would by itself attract a different calibre of individual into each role and such rebalancing of skills could be key to the success of large-scale cyber security transformation programmes.
Alternatively, the profile of the CISO needs to change to adjust to the imperatives of the “when-not-if” era: It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for “unicorn” profiles: Nobody can be credible on all fronts all day long from the Board down, and horizontally across all functions and geographies of the business. Those profiles don’t exist and pretending otherwise is just setting the CISO to fail.