[BreachExchange] CISO Expectations Are Becoming Impossible to Achieve

[Destry Winant]

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/ciso-expectations-are-becoming-impossible-to-achieve.html

The following is a fictional job posting. Any resemblance to an actual
public- or private-sector job posting for a CISO is purely
coincidental.

Wanted: An experienced, industry-leading Chief Information Security
Officer (CISO) at well below what the market is paying when
considering both wages and benefits.

This hacker guru, who excels at stopping nation-states and organized
criminals from penetrating (very) vulnerable mission-critical
networks, will lead a team of security staff who struggle in the fight
against global adversaries and cyber war. Note: Filling existing team
vacancies will be an immediate priority, but keep in mind that our
budgets are tight, so hiring freezes will likely be imposed soon after
you are hired.

This recognized expert in executive leadership, project management,
team building, relationship management and budgeting will have a
minimum of 10 years of professional experience (20 or even 30 years
preferred) managing complex security operations centers, supervising
large teams (although the team you will actually manage is rather
small) and recovering from global cyberattacks that have devastated
international business operations. Note: See these recent ransomware
attack examples for more specific details of the challenges we are
facing.

This exceptional individual should be able to mentor staff, build
award-winning strategic and tactical plans, understand the
complexities involved in the global banking system, stop cybercrime
and speak effectively in front of large (internal and external)
audiences in funny, compelling, and industry thought-leading ways.
Note: Obtaining executive buy-in and speaking to media contacts,
lawyers, accountants, college interns and the local PTA is a must.
Expect plenty of after-hours meetings and numerous formal or
information dinners (and lunches and breakfasts too.) And no, your
spouse or family members or significant other is not invited.

The CISO will coordinate, develop and implement corporate policies
such as: information security, privacy, urban data management and
whatever other policies we need for compliance (including, but not
limited to, HIPAA, PCI, IRS and ISO 27002). These policies will be
based on best-practices globally and a comprehensive understanding of
all local, national and international laws that pertain to data,
security, industrial control systems and the Internet of Things (IoT).
Note: We expect this brilliant individual to keep up with relevant,
emerging cyber startups in areas such as artificial intelligence (AI),
quantum computing, 5G, digital assets (like cryptocurrencies) and
other cool new stuff.

A consistently positive, assertive attitude and ability to rapidly
enforce security culture change within our enterprise is a must. This
individual is also measured (required to score) an average of 4 (out
of 5) on 360-evaluations from management, peers, business clients,
external partners and internal staff. Any disagreements with senior
executive management will not be tolerated. Frustration (and certainly
fits of outward rage) will lead to an early dismissal for cause —
without any termination compensation.

Required professional certifications include: CISSP, CISM, ISSMP,
CSSLP and C|CISO. A CRISC certification is strongly preferred but not
required. This hands-on pro will also manage several vendor partners.
Certifications in acquisition management from federal
three-letter-agencies (such as CIA, NSA, DHS or FBI) including
procurement management, legal provisions and complex contracts is
strongly preferred.

Education shall include a master’s degree in computer science,
cybersecurity or electrical engineering, but a doctorate degree in one
(or more) of these fields is strongly preferred. Note: Please include
several of your recent blog postings, articles and/or books you have
written (along with your Twitter handle and LinkedIn profile and
password) in your application on page 21. The forms are right after
the FBI background check details, but before the release authorization
for five years of family tax records.

Speaking of background checks, proof of no criminal wrongdoing (ever)
along with exemplary service to your community (shown via at least one
nonprofit organizational award) is assumed. In addition, previous
(successful) examples of leadership roles outside of work are strongly
preferred — please list these references on page 37 of the
application. Active involvement in non-political (but acceptable by
our standards) social causes is encouraged before, during and after
employment. Note: We are an equal opportunity employer, and all
applicants are encouraged to apply regardless of ethnic background or
religious beliefs.

Must be available for frequent travel and 7x24x365 access/availability
even on vacations and holidays, should the need arise — and it will.
Note: Out-of-state travel will generally be limited to under 40
percent of your time, depending on the number of domestic and
international conferences you are asked to participate in.

Most important of all: The search committee expects this new CISO to
ensure (in writing) that NO DATA BREACHES WILL EVER OCCUR ON YOUR
WATCH! Any ransomware attack or phishing attack that is successful
against any of our company staff or contractors (for the bad actors
and against our organization) will be considered an unacceptable
security incident for the purposes of your limited-term legal
agreement. Note: This one-sided contract shall be signed on the first
day of work.

In the event that the search committee is unable to find qualified
applicants that meet all of the stringent requirements for this CISO
role, we reserve the right to waive any (or all) requirements and hire
the best candidate from within. Note: If this alternate selection
process is chosen, the selected candidate will be on probation and
have one year to fully meet all position requirements listed herein.

Expect 'other other duties as assigned' to be added to this CISO role.
Final Note: The qualifications committee is still working on
additional requirements that will be discussed with applicants who
qualify for a formal interview.

Where Did This CISO Job Posting Come From?

OK, I admit that I went way over the top and (intentionally)
embellished this CISO job posting to make my point. I certainly did
not intend to offend anyone, but this description represents many of
the unreasonable expectations that more than a few CISOs feel right
now.

Regardless of your views on my (attempt at) humor, expectations for
chief information security officers (CISOs) have grown immensely over
the past decade. Many goals and deliverables are virtually impossible
to meet — especially in the public sector. Some experienced CISOs are
even leaving the role (but not the cybersecurity industry) to become
expert consultants in cyber.

Many CISOs are now in a “no-win” situation, and it feels like (beyond
the job description), Iron Man or Wonder Woman couldn’t even succeed,
given all of the challenges. CISO expectations from management have
become unachievable, even as our security challenges get harder to
address.

So why do I make these claims, and what can we do about the
expectation problems? That’s what we will cover for the remainder of
this blog.

Why Now? Examples Please?

First, there have been dozens, perhaps even hundreds, of articles,
books and white papers over the past several years providing analysis
and guidance on why CISOs fail and/or what it takes for security
leaders to succeed. Most of these provide a level of helpful analysis
and good advice.

Here is one article I read recently from Rajeev Shukla on Peerlyst. I
encourage you to read his well-done article, with helpful charts. Here
are 11 of his reasons for CISO failure:

1. Caught into "Product Panacea" mindset
2. "Insufficient Understanding" of cyber areas
3. Lack of vision, to create, "Program Frameworks"
4. Over dependence on high cost "Consultants & Services"
5. Operational oversight, caused by "Ineffective Delegation Model"
6. "Lacking Personal Ability to Retain Talent" in key areas of cysec team
7. "Hype Fancy" leading to unreal connection with ground realities of CySec
8. "Critically Lacking Assertiveness" in keeping, defending and
moderating a point
9. "Hiding of Info/State" by their own team and own organizational
elements, leading to chaos
10. An "Inability to Navigate Politics" of the larger organization,
and, implement/influence decisions/actions
11. "Getting Caught into Politics" at the critical points, which
demand, direct and assert resolution models

In this article, Nick Sanna describes how CISO expectations have changed.

SecurityRoundtable.org also explains: The evolving role of the CISO:
>From risk manager to business enabler.

ISSA offers some great advice and direction in their great CISO
Mentoring Webinar Series, which covers a long list of topics from
seasoned experts. I even participated in one of these podcast in this
series in September 2015 titled: “The Top Five Mistakes New Security
Leaders Make.”

And yes, I have written extensively on this topic going back to 2010
when I wrote a blog series for CSO magazine on the seven reasons
security pros fail.

More recently, see: Wanted: Effective CISOs Who (Happily) Stay Longer.

Also, I offered input into this article by Joan Goodchild on 6 Steps
Every New CISO Should Take to Set Their Organization Up for Success.

I could go on and on, but I’ll stop there. Feel free to google terms
like “CISO failure” (or add success) and you will find many more
articles and books on CISO requirements and what’s needed to succeed.
These are all (hopefully) helpful pieces that make good points.

So What’s the Problem?

But taking a step back and taking them as a whole, these lists have
become overwhelming and impractical to perfect.

Almost like diet books, this seemingly endless list of tips, tricks,
ideas, and must do’s for CISOs to be an over-achiever isn’t going away
anytime soon.

My concern is that no one — and I repeat NO ONE — can possibly do all
of this. Expectations have grown to be (almost) like the job
description at the beginning of this blog.

While I really like Rajeev Shukla’s article above, my heart sank when
I heard this was part 1 of 5. (Part 1 alone seems overwhelming to
master by itself.)

So should we just give up and not give advice? Of course not! But we
must also balance these lists and problems with burnout and reality of
a genuine security leadership career. Not all CISOs are created equal,
and most will never be able to consistently achieve half of what we
are preaching in these books, lists and articles.

So yes, the pendulum is swinging back the other way for me. And others
are saying the same things.

Consider these articles:

Delta Risk — CISOs Life: How are you holding up?

Nominet (UK): Four reasons not to blame CISOs

Nominet (UK): Life Inside the Perimeter, Understanding the Modern
CISO, with this quote:

- A quarter of CISOs worldwide suffer from physical or mental health
issues due to stress
- Almost a third fear for their jobs
- Many feel that other board members don’t recognize the inevitability
of attacks
- More than half lack budget or resources to deal with a growing
threat landscape

One Answer PLEASE?

So how can we deal with the data breaches, ransomware and critical
system outages, along with associated media headlines, that have
(sadly) become commonplace around the world?

Yes — CISOs are vitally important. Hire the best you can. Of course we
need to hold CISOs accountable, but they also need lots of help and
support.

CISOs are like quarterbacks on a football team. Good quarterbacks are
leaders who inspire trust. They are often team captains with great
skills and abilities.

BUT THEY ARE NOT THE ENTIRE TEAM.

The CEOs, CFOs and/or top government leaders, including elected
officials, all have major roles to play, as do other parts of the
technology and business teams. Organizations need to be “all-in” on
cyber.

The Deloitte-NASCIO State Cybersecurity Study has been done five times
over the past decade, and the results remain the same again and again.
Cybersecurity teams need more resources (dollars and staff),
especially in government circles.

As Doug Robinson, executive director of NASCIO, recently said about
successful cybersecurity programs at a NASACT Conference in Arizona,
“Competence is also about governance, authority and continuity.”

Many of these factors are outside the control of appointed CISOs.
These responsibilities are not just for CISOs — or even CIOs. The
security and technology groups need lots of executive help from top
elected officials and business and corporate leaders.

Final Thoughts

My readers are familiar with my football (and other sports) analogies,
as related to cybersecurity. Here are a few of my pieces on this topic
over the past decade:

- How Football Can Help Explain Data Breaches
- How to Improve Cyberstrategy by Learning NFL Defensive Tactics
- On Data Breaches: Beware of Professional IT Pride Leading to a Fall
- Reinventing: What Government Leaders Can Learn From Tim Tebow

I list these articles again, because I truly believe that CISOs, just
like many athletes, can try and do too much and succeed at very
little. Quarterbacks take time to develop, and different players will
have different strengths and weaknesses.

Bottom line: We are now making expectations for this CISO role too
hard — like confusing a new quarterback who just gets to college with
a complex playbook. Good coaches know that it takes time to develop
and learn and mature and be successful in any complex system.

And winning is a team effort.

"Talent wins games, but teamwork and intelligence win championships."
— Michael Jordan