Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

R.E.S.P.E.C.T.: The way for CISOs to get and keep it

Taylor Armerding | March 11, 2015
While they have a “C” at the beginning of their title, CISOs are held in generally low regard in the executive suite. The way to reverse that, say those who are familiar with, or have held, the position, is to be more than a geek

Anagnos said he believes most CEOs take security seriously, but need to have questions like: "What is the risk?" "What is our current security posture?" and "What to do?" explained and answered clearly by a CISO.

And then there is the "convenient scapegoat" perception. While it is clearly a pejorative term, it seems reasonable to ask why the chief of security shouldn't be held accountable for security breaches. Isn't that what the job involves?

It's a bit more nuanced than that, according to Lyons, who noted that the ThreatTrack survey found that a significant percentage of executives believed CISOs should be held responsible for security breaches, but, "should have limited say in acquiring the technology and resources to prevent them."

In other words, hold them responsible, but don't give them control. "That mentality demonstrates that many in the C-Suite still do not understand the role of CISOs and the value they can bring to the table," Lyons said.

He agrees that, "CISOs should be accountable for their policies and performance. However, it is important to keep in mind that a data breach in and of itself -- with today's rapidly evolving threats -- is not necessarily evidence of negligence or faulty strategy," he said.

Wysopal said in some cases, the CISO should go, if there are, "overall failures of a program."

But he and others note that, "like any critical business function, a security program is made up from a blend of people, process and technology, all of which need to operate together while evolving to keep pace with an ever-changing threat landscape."

Ultimately, for a CISO to get, and maintain, respect will take what Frymier calls a "two-way street" of communication. The CISO will need to make the business case for security measures, but CEOs need to create a climate of respect for security throughout the organization.

Too frequently, he said, "organizations create a CISO position to 'check the box' that they have one.  If the funding isn't there to create a real information security program and an adverse event happens, it's easy to take the symbolic gesture of firing the CISO because he's just a lone person."

That is why, Clark said, it is crucial for a CISOs to build a relationship with the entire executive team -- especially if it is during a time of transition.

"The perfect model of a CISO who has survived and thrived is one who focuses on the relationship first," he said.

"The most successful enterprise-level CISOs are not just entrenched in technology and operations. They are savvy executives who know how to build relationships with other C-level executives and get things done. From there, the respect usually follows."


Previous Page  1  2  3 

Sign up for MIS Asia eNewsletters.