This blog post is intended for anyone managing a chief information security officer (CISO) or looking to fill the CISO role. This might also be helpful if you're a CISO, and you feel like this is something you want to share with your manager or supervisor.
This topic came up when I was doing a presentation on the challenges of being a CISO in today’s world.
As I was preparing for that presentation, I found a stat that said 64% of security professionals want to quit their job. (2019 survey on helpnetsecurity.com)
That was a stat that just blew me away.
The world needs security professionals, specifically, Chief Information Security Officers. Why is it that two thirds of those people want to quit their job?
While that presentation was focused on what CISOs can do to improve the situation, it occurred to me that their managers may need some guidance as well, and thus the need for this post.
To cut to the chase, we find most of the issues happen when information security doesn't align with the business objectives. This is caused by some combination of lack of understanding by the CISO, and poor communication by their manager.
There’s a natural gap between management and information security, it’s like they are speaking different languages. In my opinion, the job of the CISO is to bridge that gap, to become the translator.
But that can be hard to do.
That's one of the reasons we're seeing a rise in demand for business-minded CISOs and one of the reasons that the virtual CISO, or CISO-as-a-service is gaining popularity. (If you’d like to know more I suggest checking out our whitepaper.)
First, let me help you understand the challenges of being a CISO.
Stress and Pressure – CISOs can often feel like they have the weight of the world on their shoulders; like they are in this fight alone. They also feel like any mistake by any user at any moment could come back on them. That's a tough situation to be in.
Knowledge and Expertise – Many of us fall into the trap of thinking that a chief information security officer is a purely technical role. But we’ve found that for the CISO to be effective. They have to be able to bridge many different gaps in the organization. And to do that, they have to have six different skill sets:
That is a tall order for a single individual to possess, but without them, it will be difficult for the CISO to be effective in a financial institution.
Understanding of Value – As I said, many CISOs don't truly understand the business objectives of their bank or credit union. That makes it really hard to understand how they provide value to the organization, and that will make the Information Security Program feel disjointed, or out of step with the rest of the organization, leading to friction internally.
Being Understood – Many CISOs were put in the role because they are highly technical in nature, but that means that they may not have the business understanding and communication skills to clearly communicate the risks, controls, and strategy at an executive level. This can result in management feeling like they don’t really understand the state and direction of the information security program. Which is frustrating to both sides.
Well, now that we know some of the challenges of being a CISO, we can begin to understand where they might need support, and what you as a manager of a CISO can do to help.
Establish culture – We talked about this in this post back in 2017. Not much has changed. You have to set a culture that understands that information security is hard. It takes effort from everyone. Incidents are a matter of when, not if. You need to explain to your CISO that you understand that and that you're with them along the way.
Explain business objectives – Information Security has to align with the general business objectives. How can that happen if the CISO doesn't understand what those are?
Are you in an area of growth?
Are you looking to acquire?
Or do you want things to stabilize?
Sit down and explain this to them, so they can be moving in-step with you, not pulling in the opposite direction.
Get them involved – get your CISO involved with the rest of your management team. The more they can understand what challenges other folks are facing the better they can do at their job.
Help them pick their battles – You may have to coach your CISO on prioritization, and asking them tough questions like, “Is this really a big deal right now?” As I said before, CISOs often feel like everything is important because of the pressure they feel, especially if they are not good at risk management (one of the 6 keys from above). This is not a feasible approach; if everything is important, then nothing is.
When your CISO can prioritize in alignment with the overall business objectives, they will gain credibility as a business leader with their peers and generally have better relationships throughout the entire organization.
Coach them on business, and communication – You may have to work with your CISO on how to effectively communicate, not only to the rest of the management team, but maybe even between you and them.
Have an honest discussion with them. If you don't understand what they're saying. Be confident and safe enough in your own situation that you can say to them, “I don't understand what you mean by this, and you're going to have to help me.” Explain to them that when they talk in acronyms, and use language that goes over the heads of the rest of the management team that it doesn't help their situation at all.
Care - We've talked to CISOs that say, “it just feels like what I do here is not important.” If it is important, you as a leader need to explain that to them from time to time. And thank them for what they're doing.
I hope you found this material helpful. If you're struggling to connect with your CISO or you're considering hiring a more formal CISO position in your organization and are wondering what it might be like to manage them, reach out and give us a call. We would be happy to help.
Or if recruiting, training, managing, and retaining the CISO role in your organization seems like a lot of work when you may not even need a full time employee in that position, you may want to consider the virtual CISO or CISO-as-a-service offerings. If you're interested in finding out more, I suggest downloading our white paper.
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Bank Management: 5 Ways a CISO Can Help Drive Innovation
https://www.bedelsecurity.com/blog/5-ways-your-ciso-can-drive-innovation
If Everything is Important, Then Nothing Is.
https://www.bedelsecurity.com/blog/if-everything-is-important-then-nothing-is
The Fundamental Roles of an Information Security Program
https://www.bedelsecurity.com/blog/the-fundamental-roles-of-an-information-security-program