[BreachExchange] Who Wants to Be a CISO?
Destry Winant
destry at riskbasedsecurity.com
Thu Jun 6 09:34:19 EDT 2019
https://www.business2community.com/cybersecurity/who-wants-to-be-a-ciso-02206941
Who wants to be a CISO these days? And at which stage in your career
should you consider the move? What balance of managerial and technical
experience do you need to have? And where do you go from there?
(what’s the step after next? … always the most important question in
terms of career development)
Those would be valid questions for many executive positions but when
it comes to the role of the CISO, they seem to acquire a different
meaning.
Let’s evacuate the first two aspects from the start: Cybersecurity has
developed a high profile in many organisations over the past few
years. Many firms are engaged in transformation programmes in that
space, which will require strong leadership, transversal vision and
managerial and political acumen from the CISO. The role is no longer a
role for a junior technologist, an ex-auditor or life-long consultant.
Of course, control-mindedness and a solid understanding of the
technical aspects relevant to their industry sector are important, but
they must not be seen as the only key aspects.
It’s the “step after next” question which seems to be the dominant
factor preventing people from moving into CISO jobs.
Security still carries an image problem, in spite of the high-profile
of some recent cyber incidents and the undeniable interest developed
by top executives around the topic over the past few years (and the
additional layer of emphasis brought in by the GDPR).
It is still seen by many as a highly specialised field and a dead-end,
plagued by under-investment and management lip service, where you
cannot really achieve anything.
This is becoming wrong on all fronts, in particular in large firms
involved in fundamental transformation programmes around cyber
security:
Security can no longer be seen as a specialised technical silo. It is
a transversal discipline rooted in corporate culture and governance
which will take the CISO in contact with IT, business, HR, legal, risk
and compliance functions. The digital transformation and the “security
and privacy by design” principles coming with GDPR accentuate that
trend even further. Only by looking at security in that way can large
scale transformation programmes be truly successful.
The under-investment and lip-service era is behind us in many firms:
Cyber security is on the Board agenda and “are we spending enough on
cyber?” is becoming one of the most common question at that level. And
the GDPR brings business-threatening fines of unprecedented
proportions which can turn cynical lip-service into an expensive
habit. Priorities and resources are shifting towards cyber security,
but with those come management expectations and execution
responsibilities for the CISO.
As a consequence of the two points above, large scale cyber security
transformation programmes can be very complex and very exposed. They
are nothing but a dead-end. They are exceptional training grounds and
prime areas where ambitious leaders can develop and prove themselves
to the Board.
Of course, ambition is required; and realism around the timeframes
involved with delivering lasting change: It could take 3 to 5 years –
or longer – to turnaround a security practice and that would make it a
significant career step for the individual involved, but the role of
the transformational CISO has all attributes to attract the best
talents, and it is now down to the Board to raise its profile so that
it does.
This goes beyond compensation and reporting lines: It is time for role
models to emerge to illustrate that the successful transformational
CISO is not condemned to hopping from one CISO job to another but can
move into CIO, CRO or CDO roles, or indeed any leadership position
where strong turnaround skills are required.
More information about the BreachExchange
mailing list