[BreachExchange] Staffing the CISO office: A call to senior management for some expansive thinking

Destry Winant destry at riskbasedsecurity.com
Mon Aug 12 10:21:22 EDT 2019


We’ve come a long way from just a relatively few years ago in
institutionalizing the CISO/CSO mandate across our respective
corporate organizational structures. I’ve written here and spoken
countlessly of the imperative for CISO/CSOs being granted equal
footing as their CIO and CRO counterparts to maximize operational
effectiveness and efficiency, not to mention security resiliency; and
if that’s not feasible then s/he should have a dotted reporting line
to the CFO or COO.

Beyond that, there is a stark security gap that concerns me—one that
is more essential and at the same time easier to fix/employ than
senior reporting lines.

I strongly advocate and urgently implore corporate management teams to
assemble and build a strong and resilient digital security leadership
benchwithin their respective organizations for dual-effect purposes.

Since the beginning of human warfare, long campaigns—and this cyber
war we find ourselves in is/will surely be recorded as the longest
ever continuous national security level conflict—have required
intermittent and overlapping rest and refit for warring soldiers and
their leaders. Pulling the front-line troops ‘off the line’, as it
were. The human body, the human mind cannot sustain indefinite and
unceasing combat operations on the line—no matter if weighted
offensively nor defensively. At some point the solder, the platoon,
the battalion, the division will crack, and effective combat
effectiveness will fall precipitously.

Good and farsighted commanders have long recognized this; and so
individuals and units have been pulled off the line to rest and refit
. . . to decompress from hot emotions and prolonged intense focus, to
rest and then rebuild mind, body and importantly spirit. Why should
the cyber battlefield be any different?  Sure, there is no hot lead
flying around; and sure, there are no mortally wounded casualties. But
the CISO is indeed fighting a constant onslaught battle…against an
insidious unseen digital enemy(ies) who seeks to do harm to their
company’s structure, piggy banks and operating strategy…to their
professional family.

Intel has gotten better, but it’s still woeful and negligible. Quality
staff are short in numbers. Budgets are for the most part tight.
Insider threat still prevails. Making matters worse, a certain
fool-hearty expectation prevails across many (not all) corporate
quarters that cyber is a zero-sum game—that “in hiring a ‘great’ CISO
we’ve won”…and thus the associated corollary that any breach
automatically equates to bad performance by the CISO. This is both
silly and nonsensical. And so, the CISO goes to bed every night with
one eye open, thinking anxious thoughts about unknown bad players who
seek to do as yet unknown harm on her/his digital enterprise…her/his

It begs repeating: cyber engagement is by design and nature
continuous. And a continuous operating cycle, with zero respite for
individual players, is unsustainable and deleterious. The stakes are
high, and the tempo is intense. And thus, can wreak havoc on the mind
and body and spirit. CISOs/CSOs must intermittently be pulled “off the
line” in order to ensure maximum long-term operational efficiency and
enhanced security resiliency. I’m talking real rest and refit here—far
away from the office, with iPhone left in the drawer 23 ½ hours each

Quite simply, it’s not enough for (most) established mid and
large-sized corporate entities to employ just a CISO alone.
Designating a bench of digital security leaders is essential. These
cyber players can be named Deputy CISOs or they can be functionally
assigned this ‘second hat’ remit in more unannounced fashion. Whenever
possible, they should be “promoted” from within, eg the SOC Director
being given additional continency responsibilities. But if current
staffing doesn’t meet the bar, then the CISO should recruit from

Regardless of organizational size and scale, all mid to large sized
corporate benches should be staffed with at a minimum two designated
deputies and not more than four. Deputy implies that s/he can/will
step into the proverbial breach at moment’s notice, with no loss of
operational security effectiveness. Deputies should be thoroughly
cross trained among her/his counterparts too. Whether the CISO is
attending one of many offsites s/he will be drawn to during the fiscal
year or if s/he is visiting a client or vendor overseas or simply if
it’s a case of the CISO ‘shutting down’ for two or better three weeks
of mandatory holiday leave…there’s no gap, there’s no loss; just
seamless transition.

Let me be clear, I am no apologist for the CISO/CSO community writ
large. I’m a cyber headhunter; but first and foremost, I’m an
operator. I love it when I see organizations maximizing their inherent
operating capabilities and efficiencies. And conversely, I get a bit
irked when I see good organizations proverbially shooting themselves
in their foot, making relatively-easy-to-avoid bad decisions.

I’m not suggesting that CEOs wholesale unleash their CISOs with zero
conditional restraints. Nor am I saying that budgets for both gear and
staff be virtually limitless. Indeed, the best CISOs exercise
discretion and restraint and often do more with relatively less. But .
. . I am urging CEOs, their boards and management teams to be smart,
expansive andintellectually honest in reflecting on and deploying
their CISO asset.

And in establishing a quality CISO leadership bench, there’s a
positive force multiplier effect here too. For as the CEO/management
team incorporates some enhanced contingency planning for scheduled and
unannounced CISO absences—including forced “quiet” vacation time—the
CISO will gain a greater peace of mind knowing s/he is fully backed
and supported by her/his corporate higher ups; in turn, sustained
superior performance out of the CISOs office is enhanced, thus
enabling a greater sense of quiet (realistic) confidence at the
management team and board level. And, oh by the way, if said CISO is
by chance recruited away (it happens!), easy coverage takes hold.

This is a matter our clients are increasingly taking up with us. Some
proactively; others responding to my harping at every opportunity,
“OK, enough already!” All have come to recognize that an inherent
staffing misalignment around their CISO functionality presents
potentially critical exposure. If you, reading here, are a member of a
management team, I humbly ask that you please raise this matter
internally; have an honest discussion and take determined action if
warranted. You may need to call on your recruiting partner to address
a gap; more likely, you have sufficient staff in place, and need only
employ a bit of organizational creativity and forethought. Whatever
the case may be, let’s get after it.

More information about the BreachExchange mailing list