Perhaps the most talked-about job in the information technology world these days is that of the chief information security officer (CISO) – the man or woman responsible for an organization’s data security and privacy. And for a good reason – nothing gets more attention in the IT world than the endless attacks on big corporations and government entities, which, on average, result in a price tag of roughly $4 million when they are successful.
So it’s hardly surprising that a triumphant CISO is primarily a leader, a manager and a communicator.
They are a technologist as well, but this typically gets less attention as a universal given. Under pressure, the horizons of CISOs are broadening. Now their top priority is to play their part in contributing to the overall success of their employer.
Those who don’t understand or meet business requirements and expectations or don’t effectively communicate don’t last, especially at public companies, dedicated by nature to build shareholder value. For this and other reasons, such as the inadequate security of far more remote workers and the explosion in phishing and ransomware attacks, this is the most challenging time ever for CISOs, and that is saying something in a perpetually stressful occupation. The average CISO stays on the job only two to three years, and a Ponemon Institute study has found that a sizable percentage of surveyed CISOs would prefer to ultimately find a job outside of IT security. This – plus the fact that more companies are hiring CISOs for the first time amid the increasing need to improve protection for IoT devices and in the cloud – is sparking a growing shortage of them.
“The market for CISOs has become very competitive,” says Michael Elmore, a CISO at global GSK Consumer Healthcare, who is typically approached for a job once or twice monthly and says his CISO friends and acquaintances tell him much the same thing.
To succeed, CISOs need all the help they can get, especially at the start of their employment, and I’ll address that momentarily. It’s noteworthy that helpful measures benefit organizations and enterprises in general, not merely individual CISOs. Given the growing CISO shortage, it’s in the interest of most organizations to keep the security leader around as long as possible. This is the case even though they are still often held in lower regard by their colleagues. Other C-suite executives do not infrequently think their relatively narrow skillset makes them insufficiently fluent in business.
To better fit into corporate environments, less multi-faceted CISOs must move beyond monitoring, repelling and responding to cyber threats to become leaders who help create an organizational culture that liberally shares cyber risk ownership. They also need to manage information risk more strategically and, as already mentioned, better integrate security cybersecurity with the business overall.
As is the case in many professions, CISOs have to lead the charge to broaden their acumen themselves – and they’re best off doing so from the get-go. Their first 90 days on the job, in particular, provide a window of opportunity for establishing their credibility and earning a vote of confidence from leadership. This requires, among other things, thoroughly assessing a corporation’s organization, technology, governance, and the processes it embraces.
Here are the steps a newly hired CISO should take:
1. Don’t wait until your first day on the job to prepare.
Learn what you can about colleagues and staff. Try to set up meetings ahead of time with your team and key business and IT leaders, showing that relationship development is a top priority. Don’t make the mistake of approaching your new role with ad hoc communications and plans. Every company’s culture is different, and you have yet to learn it.
2. In the first 30 days on the job, develop an understanding of your new business environment. Meet individually with the organization’s leaders and staff. Immerse yourself in the company’s geographic locations, its business partners and stakeholders, and financial and operational performance.
In addition, go out of your way to identify and engage key stakeholders, such as board members and other strategic leaders, in individual discussions to obtain additional insights and perspectives about the business. Technical staff members should be included on the list because important insights often come from all levels of the organization.
Lastly, CISOs need to familiarize themselves with current and future strategic targets to help determine areas in which security-related initiatives best meet the needs of the enterprise. All of these steps help make the new CISO a more valuable asset. In addition, talking to a multiplicity of qualified employees enhances the breadth of a cybersecurity program because a successful one almost always requires buy-in among most employees.
3. In the second 30 days on the job, independently assess the current state of cybersecurity practices. This helps identify existing cybersecurity strengths, weaknesses and threats and enables the CISO to determine the most cost-effective course of action to improve things.
4. By the start of the final 30-day period, you should have a firm grasp of the cybersecurity environment and be poised to make some changes. You can now begin designing and developing an improved strategy for IT governance and security-- one focused on resolving the identified risks and setting the stage for better risk mitigation down the road.
As more months go by, a thorough and seasoned CISO is in an excellent position to sidestep or at least mitigate cyber breaches. Sometimes the response is painful but the best option. Take a ransomware attack, for example. Should an organization pay hackers to resolve it? Law enforcement says no. But it depends. It’s costly but often less than the cost of data loss, and downtime irritates customers.
An enlightened CISO is the most qualified to weigh the pros and cons of such a decision and make the right call to mitigate trouble. This is a lot better than the wrong call. And in a world replete with chronic attacks and breaches, it’s probably the most any organization can ask for.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.