The CISO community acts as both a hive mind where we crowdsource decisions and test out provocative ideas, and as a support and counseling group for fellow travelers. There are several conversations that seem to repeat, cyclically, seasonally, on the CISO mailing lists to which I belong. One is around penetration testing and the firms we use for third-party assurance. Another is around budget. A third is around our organizational reporting line, and the extent to which those relationships impact our effectiveness. In that sense, this post can be considered the latest in a series of essays that save me time when corresponding to my peers, whose opinions have shaped mine and vice-versa.
What, exactly, is it that you do?
One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe [...] it takes so frickin' long to push some of this stuff. The barriers you face at any company not post-breach is you're always fighting for budget, you're always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you're in a post-breach environment, everyone already knows that it's critically important.
— another CISO, Wired, 2018-07-25
I was asked several times this past summer by interns in my organization, "can you define your job for me?" Many of them were surprised that I didn't talk much about the CISO delivering a robust cyber defense or effective audit readiness or chaos-free disaster recovery or ninja-level attack simulation campaigns. I explained that, while those are indeed all outcomes that my team and I are expected to deliver, each of those is somebody's job in my org, but not mine.
When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume.
— a former CISO, TechCrunch, 2018-09-06
The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
— Wired, describing the environment at Maersk, prior to their catastrophic NotPetya outbreak.
The Conscious CISO
Target was excoriated for not having a CISO at the time of their 2014 breach; instead, the CEO and CIO left the company, having been held accountable for a compromise occurring on their watch. This critique rings true if one believes that the "C" matters, that having that title bestows upon a CISO – as opposed to, say, a Director of Information Security – the power and obligation to, without filter or intermediary, engage other leaders, including others with a "C" in their title, to influence their risk-taking decisions and the appetites and tolerances that drive them.
If they do not understand the risks that their company faces, or the countermeasures that companies like theirs are reasonably expected to employ, the CISO is effectively part of the problem.
In Conscious Business, Fred Kofman challenges us to think differently about the amount of control we exert over our daily affairs. Kofman makes a distinction between people who confront negative outcomes by finding ways they could have changed their own approach (players) and those who attribute failure primarily to external forces (victims). Indeed, the world began to look very differently to me when I realized that telling someone, "sorry I was late, I was in X meeting" was a different way of saying, "sorry, I chose to prioritize X meeting over yours." Kofman offers that a player, when confronted with failure, will ask,
how did I contribute – by doing or not doing something – to the problem?
This start-with-the-mirror approach has molded the way I've thought about my CISO role ever since.
The soccer team
A powerful parable in Kofman's book, used to illustrate the dangers of management-by-objectives, is that of the soccer team. In short, the idea is that the seemingly rational "performance objective" for a defensive unit would be to allow as few goals as possible, and for the offensive unit to score as many as possible. The punch line is that, under such a system, the defense would happily lose 1-0 (only one goal allowed!), while the offense would be content to lose 11-10 (we lit it up!), each having achieved their performance target with aplomb.
One of the main arguments for the CISO not reporting to the CIO  is the perception that there is a natural conflict of interest: the CISO is often viewed as the ultimate soccer goalie, defending the enterprise from a constant barrage of shots, while the CIO is the ultimate striker, constantly trying to advance the ball downfield, taking on what risks may come in the process.
The fact of the matter is, yes, the CISO does have to fight for budget. Yes, the CISO is most often the advisor and not the ultimate decision-maker. Yes, the CISO has peers whose goals are set differently – sometimes in conflict – with his own. The data, however, does not support the hypothesis that results suffer in this situation. A joint Price Waterhouse Coopers report suggests the opposite: respondents in whose organizations the top security executive reported to the CIO suffered smaller losses than many other configurations. Why doesn't the conflict correlate with worse outcomes? I have a working theory: the "C" in their title empowers the CISO to be a player, not a victim, even in these circumstances. Still, there is considerable work for the CISO to do. In particular, there are several key questions the "player CISO" should be able to answer in light of the potential hurdles above:
- Budget: at what point in the budgeting cycle does the next dollar spent on security yield less value to the company than spending that dollar on R&D to develop new products, or marketing to grow top line revenue, or paying down technical debt, or adopting a new technology pattern? Have I effectively communicated the value of the security-related roles/projects/services that are potentially below-the-line and am I aligned with their placement given my knowledge of the company's goals and other teams' needs? If the board asks, "what would you do with $X million more," am I prepared to name the investments and explain their value?
Objectives: have I influenced the CIO and other stakeholders sufficiently to ensure security is mixed into the CIO's goals adequately to create virtuous incentives to match the technology organization's trajectory with the company's stated (or implied) risk tolerance? Does the CIO look forward to our partnership as competition, cooperation, or collaboration?
Decisions: do I have an outlet to safely report organizational risk, irrespective of its provenance, to a responsible leader or committee? If not, what am I doing to influence company culture and secure those channels? Have I created a lingua franca using which risk is described, both quantitatively (hazard) and qualitatively (outrage) in terms that key stakeholders understand and agree upon?
As a CISO, I have spent portions of my career both within and outside of my companies' Technology organizations. I felt empowered in both scenarios because I not only had the legitimacy to govern, bestowed in part by the "C" in my role, but I also earned the respect of the governed and their willingness to be partners with me as co-equal branches in crafting and enforcing the policies and standards to which they would be held. In that sense, I played the role of CISO more as a defensive midfielder than a goalie. Having clear expectations that the first line of defense for information protection sat within Technology enabled me to not simply play defense but also to set up the offense – enabling emerging strategies to be delivered with robust levels of both speed and safety, meeting the company goals of winning together, not just individual units' targets of goals scored or allowed.
I did learn along the way that, in order for me to play the second line of defense effectively, to avoid being a victim to risk-taking-by-fiat or conflicting incentives, one particular ceremony was critical. It was performed several times over my career, but it generally followed a consistent script, where a leader gave me the following instructions:
Erick, if you as the CISO believe that there is a clear-and-present danger to our data and systems, and if you as the CISO believe that the leaders who can address this danger are failing to heed your advice, you must know that you can come to any member of senior staff, starting with the GC and the CFO, for help. If they fail to help you, you can come to the CEO. And if the CEO fails, you must go to the board.
This ceremony played out multiple times: I've had my CIO and CEO confirm it in one-on-one sessions; it's been spoken for dramatic effect during my visits to senior staff; and it has been shared with the Board. In doing so, it cemented the understanding that the "C" in my CISO title matters: I am both empowered and expected to own and drive our risk culture, to collaborate with stakeholders at all levels on aligning risk load with appetite, to execute my duties as a true player – irrespective of reporting relationships.
Chief Information Security Officer ↩︎
We all want to use the best and brightest, and there's benefit to periodically reassessing diversity in the gene pool. ↩︎
Keeping up with the Joneses is a peculiar American obsession. ↩︎
The pace of adapting defenses to evolving threats, the tone at the top of senior leaders, and the feel in the trenches that the security regime causes to front-line staff. ↩︎
CEO, CFO, COO, CIO, CTO, etc., are obvious, but it's a handy coincidence that General Counsel also technically has a "C" for purposes of this conversation. ↩︎
An uncomfortable corollary of this belief is that hiring a CISO, as Target did several months after the breach occurred and with the board under significant investor pressure, does not create unconditional safety for other executives or the board – they must be at least open to an effective, reasonable CISO's influence. ↩︎
A common misconception is that Kofman's players assume full personal responsibility for all events; I've found that it's less about that than it is about looking in the mirror first to assess what opportunities I had to engage differently and what role that played in the final outcome instead. ↩︎
"I did everything possible" and "it is what it is" are common corporatespeak encodings for "I'm the victim here, don't blame me." ↩︎
To see Fred give a talk on the victim/player mindset difference, this video is a good start.
including CFO, COO, and GC ↩︎
Tthis hypothesis should not in any way discount the information-sharing benefits of being part of Technology leadership rather than being invited in as a welcome outsider. ↩︎
which should benefit the defense, with little action on the CISO's part, simply by reducing attack surface ↩︎
which should benefit the defense, if the CISO is effective at embedding solid security engineering principles into the architecture ↩︎
stop all the shots-on-goal! ↩︎
Note that the CIO's role is not the only one susceptible to this dynamic – ask your favorite VP of Sales if they experience creative friction with their CISO because they can't simply adopt the latest headline-grabbing startup's something-as-a-Service without due diligence, or your favorite CFO if they would like to reduce their cost-per-X in technology or their cyberinsurance spend in the next fiscal year. ↩︎