A colleague sent me a headline and executive summary from a Forrester "Forrsights" piece called "The new IT security buyer landscape" by Heidi Shey and Stephanie Balaouras. I have not yet had a chance to read the paper, but the executive summary has caught my attention when you juxtapose it against recent conversations and discussions I've had with some of you. The core question out there seems to be - "is this the year we reinvent the CISO?" and I'm hesitant to answer anything besides an emphatic yes.
(This entry is a cross-post from Following the Wh1t3 Rabbit.)
The executive summary of the Forrester piece calls out the fact that CISOs are by and large getting absolutely no respect. While I'm not sure I completely agree with that stance, I do believe that the CISO role is fundamentally flawed. The main reason I believe the role of the CISO is fundamentally flawed is because purely by the name of the role we're implying a disconnect from the business. Information Security implies you're looking at information and primarily focusing on that as your goal, rather than the business. This may sound like a trivial play on words, but believe me when the board room is concerned, this matters.
If the CISO (Chief Information Security Officer) isn't the right title, then what is? Well, Forrester suggests that maybe it's time for the CBSO (Chief Business Security Officer) to rise up from the ashes as the reinvented CISO. I've given this a lot of thought, and I'm inclined to agree. The authors write "To make this transition, CISOs must demonstrate a traceable alignment to business objectives and bring greater financial and risk management discipline to security strategy and decision-making." In a word, absolutely.
While I don't really believe the situation for CISOs is all that dire as a general statement - I know several who are struggling with even the most basic of responsibility vs. capability issues so this would ring true to them. Going back a little over 4 years when I performed the role I can agree I had very little respect but that was, looking back on the experience, largely my own fault. As a young and naive security leader I often saw technical solutions first, and non-technical solutions later. I often made the mistake of seeking out the 'shiny box' to solve some of the big problems my business was facing only to fail even with the best budget. Ultimately the experience of leading in such a high-pressure environment proved to me that not only was I doing it wrong, but that I had to learn to re-focus on what mattered and seek non-technical solutions to business problems first and foremost to gain any respect.
What then, are we to make of this call for a new Chief Business Security Officer (CBSO) role? Should you change the sign on your door tomorrow morning if you're a CISO? Is it really so bad to be a technically capable manager? The answer to both those questions is no. So now what?
I will admit that I am warming up to the idea of the CBSO. Is it a replacement for a CISO? I don't believe so, but that's going to depend on the company size. In an enterprise environment, just like the role of the CIO and CTO have been split - the roles of the CISO and CBSO will likely be split in the future. I do think that ideally one person would play both roles and serve the business and the information from a single seat, but that may be unrealistic ... then again it might not. There are a lot of very capable CISOs out there that have already earned the respect of their business leaders and a title change will do little to change that any. Furthermore, I know of a few CISOs that a title change won't necessarily change their attitude or behavior - so that won't help them at all.
When the rubber meets the road, I think it comes down to attitude change. Is the CISO willing to take on more business-focused responsibilities, and look at information security from a less technical solution-oriented perspective - and if so is that sustainable? If you're looking for advice I have a little bit here for you.
First and foremost, make sure you're crystal-clear on who you're serving, and who your customer is. You're a steward of the business and are charged with keeping its information and everything else safe and secure. You're also charged with expressing technical risk and debt in such a way that your peers and fellow decision makes understand clearly and can use that information to make informed decisions. If your first inclination to any business problem is to call a vendor and start an RFI for the latest piece of hardware or software - you're already failing... stop yourself.
Next, understand you likely don't get to make decisions. The line-of-business owners are charged with that. They're also the only ones who can accept risk on behalf of the business. You should be providing sound advice based on technical analysis with a sound business context, and making sure people understand what they're accepting or not. Your job is not to make people fear technology, hackers, or the evils of not listening to the CISO.
Finally, if you really have to go that extra mile of changing your job title from CISO to CBSO, and you really believe you need to do it to gain some respect. Do it. Sometimes perception is reality - and having a title change may signal to your peers and leadership that you get it and are finally starting to do something about that. Don't fool yourself though - changing a title doesn't mean you can not actually make the attitude change.
Is this the year we start seeing CBSOs? I think it's about time.
What do you think?