Prologue
The CISO[1] community acts as both a hive mind where we crowdsource decisions and test out provocative ideas, and as a support and counseling group for fellow travelers. There are several conversations that seem to repeat, cyclically, seasonally, on the CISO mailing lists to which I belong. One is around penetration testing and the firms we use for third-party assurance.[2] Another is around budget.[3] A third is around our organizational reporting line, and the extent to which those relationships impact our effectiveness. In that sense, this post can be considered the latest in a series of essays that save me time when corresponding to my peers, whose opinions have shaped mine and vice-versa.
What, exactly, is it that you do?
— another CISO, Wired, 2018-07-25
I was asked several times this past summer by interns in my organization, "can you define your job for me?" Many of them were surprised that I didn't talk much about the CISO delivering a robust cyber defense or effective audit readiness or chaos-free disaster recovery or ninja-level attack simulation campaigns. I explained that, while those are indeed all outcomes that my team and I are expected to deliver, each of those is somebody's job in my org, but not mine.
— a former CISO, TechCrunch, 2018-09-06
My job, I explained, is to wear the "C" – the "Chief" title that makes my role unique from anyone else's on my team. Whereas it is a common trope in the tech industry that "security is everyone's responsibility,"[1][2] the CISO is the one accountable and empowered to ensure that a company has a strong culture[3] for information security, from the board room through to the front lines. Like a hockey captain who is expected to communicate with the referees and manage the flow of the game, the CISO is expected to discuss uncomfortable truths with senior leaders – exercising the courage required to do so when necessary.
We've all seen it, just like the ubiquitous "see something, say something" campaigns. ↩︎
My favorite one might be the version from the NSA's archives that was just released under FOIA!
↩︎
The pace of adapting defenses to evolving threats, the tone at the top of senior leaders, and the feel in the trenches that the security regime causes to front-line staff.  ↩︎
— Wired, describing the environment at Maersk, prior to their catastrophic NotPetya outbreak.
The Conscious CISO
Target was excoriated for not having a CISO at the time of their 2014 breach; instead, the CEO and CIO left the company, having been held accountable for a compromise occurring on their watch. This critique rings true if one believes that the "C" matters, that having that title bestows upon a CISO – as opposed to, say, a Director of Information Security – the power and obligation to, without filter or intermediary, engage other leaders, including others with a "C" in their title[1], to influence their risk-taking decisions and the appetites and tolerances that drive them.[2]
If they do not understand the risks that their company faces, or the countermeasures that companies like theirs are reasonably expected to employ, the CISO is effectively part of the problem.
In Conscious Business, Fred Kofman challenges us to think differently about the amount of control we exert over our daily affairs. Kofman makes a distinction between people who confront negative outcomes by finding ways they could have changed their own approach (players)[3] and those who attribute failure primarily to external forces (victims)[4]. Indeed, the world began to look very differently to me when I realized that telling someone, "sorry I was late, I was in X meeting" was a different way of saying, "sorry, I chose to prioritize X meeting over yours."[5] Kofman offers that a player, when confronted with failure, will ask,
how did I contribute – by doing or not doing something – to the problem?
This start-with-the-mirror approach has molded the way I've thought about my CISO role ever since.
The soccer team
CEO, CFO, COO, CIO, CTO, etc., are obvious, but it's a handy coincidence that General Counsel also technically has a "C" for purposes of this conversation. ↩︎
An uncomfortable corollary of this belief is that hiring a CISO, as Target did several months after the breach occurred and with the board under significant investor pressure, does not create unconditional safety for other executives or the board – they must be at least open to an effective, reasonable CISO's influence. ↩︎
A common misconception is that Kofman's players assume full personal responsibility for all events; I've found that it's less about that than it is about looking in the mirror first to assess what opportunities I had to engage differently and what role that played in the final outcome instead. ↩︎
"I did everything possible" and "it is what it is" are common corporatespeak encodings for "I'm the victim here, don't blame me." ↩︎
To see Fred give a talk on the victim/player mindset difference, this video is a good start.
↩︎
One of the main arguments for the CISO not reporting to the CIO [1] is the perception that there is a natural conflict of interest: the CISO is often viewed as the ultimate soccer goalie, defending the enterprise from a constant barrage of shots, while the CIO is the ultimate striker, constantly trying to advance the ball downfield, taking on what risks may come in the process.[2]
The fact of the matter is, yes, the CISO does have to fight for budget. Yes, the CISO is most often the advisor and not the ultimate decision-maker. Yes, the CISO has peers whose goals are set differently – sometimes in conflict – with his own. The data, however, does not support the hypothesis that results suffer in this situation.
A joint Price Waterhouse Coopers report suggests the opposite: respondents in whose organizations the top security executive reported to the CIO suffered smaller losses than many other configurations[3]. Why doesn't the conflict correlate with worse outcomes? I have a working theory: the "C" in their title empowers the CISO to be a player, not a victim, even in these circumstances.[4] Still, there is considerable work for the CISO to do. In particular, there are several key questions the "player CISO" should be able to answer in light of the potential hurdles above:
-
Budget: at what point in the budgeting cycle does the next dollar spent on security yield less value to the company than spending that dollar on R&D to develop new products, or marketing to grow top line revenue, or paying down technical debt[1], or adopting a new technology pattern[2]? Have I effectively communicated the value of the security-related roles/projects/services that are potentially below-the-line and am I aligned with their placement given my knowledge of the company's goals and other teams' needs? If the board asks, "what would you do with $X million more," am I prepared to name the investments and explain their value?
-
Objectives: have I influenced the CIO and other stakeholders sufficiently to ensure security is mixed into the CIO's goals adequately to create virtuous incentives to match the technology organization's trajectory with the company's stated (or implied) risk tolerance? Does the CIO look forward to our partnership as competition, cooperation, or collaboration?[3]
-
Decisions: do I have an outlet to safely report organizational risk, irrespective of its provenance, to a responsible leader or committee? If not, what am I doing to influence company culture and secure those channels? Have I created a lingua franca using which risk is described, both quantitatively (hazard) and qualitatively (outrage) in terms that key stakeholders understand and agree upon?[4]
which should benefit the defense, with little action on the CISO's part, simply by reducing attack surface ↩︎
which should benefit the defense, if the CISO is effective at embedding solid security engineering principles into the architecture ↩︎
See Peter Sandman's seminal work for why "hazard and outrage" are the new "impact and probability". ↩︎
Three C's of team dynamics:
- Competition: zero-sum game, if you win, I lose.
- Cooperation: I will help you as long as it doesn't set me back from my own goals.
- Collaboration: I understand your goals and they are important to me, I will help you win.
Coda
As a CISO, I have spent portions of my career both within and outside of my companies' Technology organizations. I felt empowered in both scenarios because I not only had the legitimacy to govern, bestowed in part by the "C" in my role, but I also earned the respect of the governed and their willingness to be partners with me as co-equal branches in crafting and enforcing the policies and standards to which they would be held. In that sense, I played the role of CISO more as a defensive midfielder than a goalie. Having clear expectations that the first line of defense for information protection sat within Technology enabled me to not simply play defense[1] but also to set up the offense – enabling emerging strategies[2] to be delivered with robust levels of both speed and safety, meeting the company goals of winning together, not just individual units' targets of goals scored or allowed.
I did learn along the way that, in order for me to play the second line of defense effectively, to avoid being a victim to risk-taking-by-fiat or conflicting incentives[3], one particular ceremony was critical. It was performed several times over my career, but it generally followed a consistent script, where a leader gave me the following instructions:
Erick, if you as the CISO believe that there is a clear-and-present danger to our data and systems, and if you as the CISO believe that the leaders who can address this danger are failing to heed your advice, you must know that you can come to any member of senior staff, starting with the GC and the CFO, for help. If they fail to help you, you can come to the CEO. And if the CEO fails, you must go to the board.
This ceremony played out multiple times: I've had my CIO and CEO confirm it in one-on-one sessions; it's been spoken for dramatic effect during my visits to senior staff; and it has been shared with the Board. In doing so, it cemented the understanding that the "C" in my CISO title matters: I am both empowered and expected to own and drive our risk culture, to collaborate with stakeholders at all levels on aligning risk load with appetite, to execute my duties as a true player – irrespective of reporting relationships.
stop all the shots-on-goal!
↩︎
cloud/mobile/analytics/mergers-and-acquisitions/etc. ↩︎
Note that the CIO's role is not the only one susceptible to this dynamic – ask your favorite VP of Sales if they experience creative friction with their CISO because they can't simply adopt the latest headline-grabbing startup's something-as-a-Service without due diligence, or your favorite CFO if they would like to reduce their cost-per-X in technology or their cyberinsurance spend in the next fiscal year. ↩︎