We know now how security management shouldn’t work. But where does that leave us? To answer the question, this being a book and all, let’s attempt to craft a new paradigm. We are building a new structure, and we should start with the foundation.
Here is one statement you could insert at the top of your list of criteria for your next CISO three-sixty review, or search, or alternatively, keep in mind when you go for that interview: The CISO’s role is to support all parts of the organization so that they can do business successfully without taking on undue technology risk.
That’s it. Security is not a guard in front of the gate, although it surely supports the militia. I like to describe security in the following way:
As the CISO, I see my role as sliding underneath all the various business units, joining the person who is already there—the legal counsel—in making sure that there are no cracks in the foundations.
Say what? Indeed, the CISO is simply the modern incarnation of another highly respected business-wide support function embodied by the legal counsel. The CISO does not replace legal, of course, but they fill a similar role. The legal department addresses legal and liability risk. Security addresses data and technology (and related liability) risk.
Even better, these two naturally support and rely on each other. Indeed, thought of it this way, one can see a strong connection to the argument about security not being in itself a technology discipline. When operating in a weaker regulatory environment, the role of counsel diminishes, and in a striking parallel, the role of security reduces as well… ultimately to a laser focus on technology operations.
Just like you don’t need a highly paid chief counsel when bribery of government officials allows you to succeed regardless of your actual business practices, so do you not need a CISO when all your technology risk lies in proper implementation of firewalls. In these cases, what you really need are a consigliere, and a good hacker.
But for those of us making a living in advanced societies, I think it’s fair to say that risk is generally tied to business operations, and that in the modern world, the latter is highly reliant on technology use.
Since you’re still reading, I hope that by now I have illustrated to you that:
- If you’re a CISO, you’re (probably) going about it wrong.
- If you manage a CISO, you’re (probably) going about it wrong.
- If you’re hiring a CISO, you’re (probably) going about it wrong.
If we want to see where this thread ends, it’s all in my book “Why CISOs Fail: The Missing link In Security Management – And How To Fix It.” Or just reach out and let’s chat.
