CISO of Tomorrow


By Aaron PritzPresident AP&A (Cyber Security, Privacy, and Risk Management Boutique Consulting)
(last edited July 25th, 2018)

The explosion in media coverage surrounding cybersecurity and privacy over the last few years has brought awareness of these risks and incidents to an all-time high at board and executive levels. Still, many question whether the commitments made in this moment of heightened awareness are “real enough” or persistent. Many companies still lump the information security organization into IT (which often has high expectations to cut costs and optimize headcount.)

The topic of “where the CISO reports” is a HOT topic within the industry and you can find hundreds of articles with strong opinions. The trend in larger organizations with higher risk awareness (financial services, healthcare/payer, consumer products etc.) has seen the CISO role move away from the CIO reporting structure (which had been the historical tradition for many companies) towards the CEO or other senior leaders.

In the latest edition of its “Global State of Information Security Survey”, PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO).  Note, for the accountants reading this, the numbers don’t add up to 100% due to dotted line reporting.

Another trend: titles, levels and salaries have also been on the rise. “Salaries for Chief Information Security Officers (CISOs) at top European firms have topped €1m (£850,000) as the threat of data breaches grows.” according to executive search firm DHR International. However, on the exact opposite side of the spectrum, some senior leaders hunt for cut-rate or even part time CISOs for fractions of the going rate. This dynamic often creates a bigger mess for the next CISO to clean up behind them. CSO Online recently covered this unfortunate trend in an article by Ben Rothke

Average CISO tenure ranges from 12 – 48 months (as reported by Ponemon Institute, CIO.com, and many other sources). This is the most concerning trend. Regardless of your field, you would have to acknowledge the disruption of constant leadership turnover with each leader pulling an organization in a slightly (or significantly) different direction. Why is the turnover unusually high? I’ve seen and heard the following root causes:

  • leaving for more money or better opportunity with another organization
  • getting fired or replaced related to a breach, lack of delivery, or misrepresented state of control
  • leaving because leadership or the culture is not open to the information security agenda
  • being replaced when the organization shifts expectations to reflect more business engagement versus a historically technical security structure and the incumbent lacks needed business acumen

What does all this mean?

It means that for the near future, we will likely see a lot of different approaches as companies and boards continue to figure out the role of information security.

However, I think we are starting to see a light at the end of the tunnel. Recent trends suggest that companies beyond the Fortune 500 are starting to create CISO positions, upgrade their CISO role, and seek out broader skill sets. There isn’t a precise recipe or set of requirements for the perfect CISO (and most organizations probably couldn’t afford it if perfection was a reality). Therefore, I have developed my own Top 10 CISO Attributes based on what my experience shows is required of the CISO of today and beyond (in no particular order):

  1. Security / Controls Advocate – this could come from technical, IT, audit, or risk experience. There is a certain motivational fit requirement that may never be real if you haven’t experienced risk management/reduction roles.  You can find this experience in a number of roles across compliance, audit, risk management, IT quality, etc.
  2. Ruthless Prioritizer– Risk reducing activities are endless in this field. If you don’t practice ruthless prioritization, you are destined to accomplish nothing. This is a field of many distractions from many different directions, whether it be from vendors, tools, priorities, risks… or perceived risks that aren’t really risks to your business.
  3. Transparent and Ethical Rock – This is not a profession for professional BS’ers. You need to be realistic, honest, and transparent with your actions, commitments, and leadership. You need to measure the progress towards outcomes and maturity while resisting the temptation to “cook the books”.  Trust is typically earned through actions and leadership behaviors observed by your team, superiors, and boards.  Trust can make the difference in the unfortunate but likely event of a breach.
  4. Lifetime Learner – A CISO that feels they know everything will be left behind. This is a dynamic field of evolving risks. There is something to learn every day externally and from everyone in their organization.
  5. Empowerer– A CISO that tries to control everything will never excel. Empowering staff to execute and coaching for success is a must.
  6. Risk Manager – Similar to ruthless prioritization. In a field of infinite risks, you have to hone in on what risks are real and relevant to your business. That means starting with a risk lens, not a technical capability or procurement of security tools.
  7. Talent Developer – A successful leader surrounds themselves with people smarter than they are, and spends a good chunk of time enabling others or reducing barriers to achieve outcomes. You need to rely on the knowledge of the experts around you.
  8. Humble Servant– A good CISO should be confident but focus more on their EQ than their Ego. The CISO must be an influencer and a motivator. A big ego can get in the way of both of these things (especially within your own team)
  9. Business Executive – despite the ongoing debate, where the CISO reports to doesn’t make them a business executive. CISOs need to determine how security can be a key differentiator within the market that your business serves. Good CISOs need to know the business well enough to hold their own, see what’s around the corner, and find their own seat at the table so when the big business decisions are made, they aren’t scrambling because they hear about it 3 weeks later.
  10. Dot Connector – With the enterprise risk landscape having many overlaps across cyber security, physical security, privacy, 3rd party risk management, legal, and workforce development, there are lots of opportunities for duplicate and even conflicting priorities.  The effective CISO will be able to pull those teams together (in governance, partnership, and trust) vs perpetuating silos.
  11. Teacher/Educator (Bonus Item Complements of Mitch Parker) – Be a story-teller / influencer that can articulate the “why” around controls or security related initiatives.  This is needed at all levels of the company both inside and outside of the IS department itself.

If you are a CISO or an aspiring CISO, these 10 things can help you project yourself into the CISO of tomorrow vs yesterday.  Tomorrow is already “today” so the quicker the industry can work though this challenge; the better positioned companies will be in this battle.