I was working on a project recently and it came to my attention that the previous person in the CISO role had been let go. In fact, I knew the old CISO and he was a very strong and competent individual in the cybersecurity arena.
It was the reason I was working on the project in the first place. Because the previous CISO had been fired 6 months prior and the management was having a hard time finding a replacement CISO. This is actually a common story in this business. And has a familiar pattern to it. And what makes it so frustrating is that it is just not necessary.
What Happens
So the familiar pattern is this. CISO is hired to be the chief information security officer at a company. He is given the mandate to keep the company safe from internet attack. An incredibly important and difficult task. The CISO goes to work doing all of the things he should do. Developing policies, working with IT to make sure they are following the proper procedures, communicating with the various department heads on how to maintain a secure posture.
But what happens, in reality, is that many times the CISO is only covering part of the picture. Not by his own choosing but by the nature of the structure of the company. You see for cybersecurity to work you need to cover all of the bases. And most CISO’s never got that chance. Many times they are only allowed to gain access to part of the company, or only a few people in management, many times not the executive suite. Or they are required to move everything through their management which is the CIO, and their efforts get filtered.
It Gets Worse
Unfortunately, when the breach does occur the CISO is made to be responsible for it and is forced to leave. Causing the management to go search for another CISO and start the same process all over again. And since the structure did not change at all, only the CISO. It will probably happen all over again. It becomes a sort of revolving door as the CISO’s move from company to company.
One of the things I do is ensure that the structure of the organization is within my reach before I start a project. Since I am consulting from the outside many times this is feasibly achieved. But the CISO reporting to the CIO does not have this luxury. Which is too bad because finding a new CISO can take upwards of a year, and will normally cost your company twice what the previous CISO costs in salary, bonus, and recruiting. All without making any significant change to your cybersecurity posture. In fact, it puts the company at risk since they will now be going without a CISO for over a year while searching for a new one.
Make sure your corporate structure is set up to help your CISO succeed if you do then you will succeed also.