Is it Time to Accept that the Current Role of the CISO Has Failed?

Is it Time to Accept that the Current Role of the CISO Has Failed?

It has become too complex to carry for the profile of people it attracts

The role of the Chief Information Security Officer (CISO) has been in existence for the best part of the last 30 years.

Infosec legends say that it was first created for Steve Katz at Citibank in 1995, and indeed it has had some form of operational reality for over 25 years in many firms, starting with the financial sector, pharmaceuticals, and energy firms, then spreading gradually to all industries over two decades.

I have been involved with the cyber security industry for the best part of that period, but, as far as I can remember, I have always heard CISOs complaining: Lack of resources, wrong reporting line, adverse prioritisation of security matters by the business, constant firefighting and burnout, talent and skills shortages… The list is long, but nobody seems to question why.

In fact, there are inherent problems with the historical construction of the role.

First of all, it was never conceived as a true C-level role. It probably originated in the minds of some organisation consultants, but it never developed any true C-level weight. Even if it may hurt some, it is my opinion that it was very rarely given to people with true C-level potential.

Second, it was almost always given to technologists by trade or background, although the underlying matter is unequivocally cross-functional and has always been: You cannot be successful around identity and access management for example without the involvement of HR and business units, and the ability to reach credibly towards them.

As far as the evolution of the role is concerned, endemic business short-termism did the rest: As we established with The Security Transformation Research Foundation in 2019, for the first decade of this century, the prime focus of the role was on risk and compliance, cybersecurity being seen as a necessary compromise between regulatory obligations, risk appetite and costs. It is not uncommon to see organisations and professionals still stuck in that sort of paradigm, but it is broadly outdated.

For the last decade, with the emergence of cloud solutions, the acceleration of the digital transformation, and the accentuation driven by the COVID pandemic – not to mention the more recent supply chain disruptions or craze for generative AI – the world has seen an unprecedented increase in cyber-threats. Most CISOs have been unable to get out of firefighting mode for a long-enough period to address the systemic changes they would need to put in place to truly move their companies forward.

For many, this constant level of stress has become simply the nature of the job: They think it is normal for them to be expected to be credible one day in front of the board, the next in front of regulators, the next in front of pen testers or developers, while at the same time, leading and managing their people and meeting the firm’s reporting obligations in that space.

They don’t seem to understand that it is simply impossible to do a good job at all those levels in today’s context, that they are exposing themselves by accepting it, and that it is the root of their mental health issues, and the endemic short tenure plaguing the role, which in turn is the root cause of the long-term stagnation of cybersecurity maturity in many firms.

They become easy scapegoats when something goes wrong, and tomorrow may even be personally liable in court in case of breach depending how legislations develop.

After years of gradual marginalisation and in the face of endless breaches, I think it is time to start accepting that the current construction around the role of the CISO is not working anymore in many firms.

It has aggregated a mixed set of responsibilities and accountabilities without building up the right organisational and managerial momentum, and many CISOs are simply being set up to fail: The role has simply become too complex to carry for the profile of the people it attracts.

To break this spiral, the logic is now to split the role, stripping off the managerial layers it has accumulated over the years and refocusing the role of the CISO on its native technical content so that it can lead effectively and efficiently at that level, while at the same time bringing up a CSO role (Chief Security Officer) able to reach across business, IT and support function to take in charge the level of corporate complexity cybersecurity is now amalgamating in large firms.

It is time to accept as well that the bottom-up constructions by which CISOs have tried to “convince” senior executives of the importance of cybersecurity over the years have mostly failed due to an excessive technical focus, and the lack of obvious success – aggravated by their short-tenures and in spite of colossal investments for some firms.

An elevated CSO role should be able to build a peer-to-peer dialogue with senior executives and board members, listening to their expectations and constraints, and embedding the protection of the business from cyberthreats at the heart of their agenda.

That’s likely to be a sound way forward in many firms over the coming years, instead of propping up a CISO role that maybe has served its purpose, but now needs to evolve.

Have Your Say: