There is a particularly vexing problem that occurs within American business as it relates to the CISO position. It goes something like this. Management hires a CISO and puts them in place. They vet them carefully and make sure they have a good quality candidate. Then they assign them their tasks and the CISO is off and running.
A while down the road the company gets breached, and there is a terrible time at the company as they have to experience lots of pain and go through exorbitant expenses to recover from the breach. Then management fires the CISO and goes out to find another CISO. And the process starts again. And quite possibly the same thing will happen all over again. So what is the problem?
Is The CISO The Problem?
No, the CISO is not necessarily the problem. He is part of the solution. Unfortunately, many companies do not know what to do with the CISO. So there is this kind of revolving door syndrome that goes on that no one likes to talk about. Instead, let’s look a little deeper to see what is really going on.
When the CISO was hired he was probably put under the CIO or the CFO. Not as a staff position and not reporting directly to upper management. Second, he does not necessarily have direct access to senior management. Subsequently, his recommendations and plans are not always necessarily followed.
What happens next is you have an exposed company with little or no different protections from attack than what they had before.
When you have a new CISO yes you should vet them. Yes, you should get the best candidate you can find and spend as much as you need to. Because it will cost you. But when vetting them make sure they have executive level experience. Ensure they are not just the cybersecurity guy at your company or at their previous employer.
Then when you bring them in introduce them to your entire executive staff including your board of directors. They all should have a working relationship with him even the CEO. This is critical to the overall success of your cybersecurity. Now the issue of executives having enough time will come up for all of you. But this does not have to be a time sink. It can be very productive and kept to a minimum of time. For instance, regularly scheduled meetings, and calls are better than having the CISO involved in every staff meeting. And remember when you do experience a major breach or have to fire and hire a new CISO you are going to be looking at a very big time commitment.
The CISO should be able to deliver his executive level plans and supporting reports quickly and succinctly for all concerned. At least twice a year for the board, and a minimum of quarterly for the CEO and his staff. More is better but depends on the situation and the importance of cybersecurity to your operation and survival. Getting that CISO in place with the right support is critical to your security.