Don’t let me get me

During the recent EuroCACS conference Raef Meeuwisse, Director of Cybersecurity & Data Privacy Governance at Cyber Simplicity Ltd., referred to the CISO as the “Chief Information Scapegoat Officer,” based on an article posted on Infosecurity Magazine. For so many in the industry, this meme of sorts rings true. Today’s CISO is up against a set of challenges present in no other executive-level role, and during a phone interview Meeuwisse explained why, even though humorous, the “scapegoat” label is one hard to shed.

“It’s kind of like navigating the perfect storm,” said Meeuwisse. With the average tenure of a CISO now at only 18 months, many CISOs find themselves inheriting a substantially inadequate security architecture and processes. As a result, the CISO has to balance how rapidly he or she can persuade fellow executives and the business to buy in to the considerable changes required to manage the organization’s true level of business risk exposure. If the CISO moves faster than the business is comfortable with, proposed changes will likely not be approved. If the CISO moves slower than the largest risks, the organization exposes itself up to greater vulnerabilities. Making matters worse, “Often the organization’s perception of risk is much lower than reality,” claims Meeuwisse, which means they may not fully understand the implications of making or not making certain proposed changes. It is not a total no-win situation, but it is fairly close to it.

Every day I fight a war against the mirror

The best CISOs need the skills to understand their organization’s business, rapidly diagnose basic security gaps, affect the most efficient remediation actions, and manage that change with the least impact.   

“In my experience, most but not all organizations have substantial basic security gaps,” says Meeuwisse, who has reviewed the overall security at more than 60 organizations over the past nine years.

To this point, Meeuwisse highlights that “the mega beaches are never down to one problem area. There are always a number of fundamental gaps. The key is to be brilliant on the basics.” To lessen the potential of becoming the scapegoat, he advises CISOs focus on five areas:

  • Currency: CISOs must keep up with the ever-changing security landscape. As tumultuous and fickle as it is, it is a CISO’s responsibility to understand current threats.
  • Governance and Testing: CISOs must be “water tight on all the security framework foundations.” This includes identifying the most critical organizational data, ensuring the security team has implemented proper controls around it, and has addressed any resulting gaps.
  • Be a business-oriented executive. Because many CISOs have grown through the technical ranks and were thrown into a business role, this is the one area with which most CISOs struggle. It will become increasingly more important for CISOs to possess this quality in the future.
  • Communication and Presentation skills: An effective CISO has mastered these two skills. Much of the role involves explaining complex problems to people who are chiefly interested in the outcomes and who may not be technically savvy. Spewing bits and bytes does nothing to help the organization understand its risk.
  • Time and finance management: CISOs are responsible for large projects that dictate the security posture of the business; if he or she can’t show some return on investment, s/he will surely be the scapegoat when an incident arises. Because a CISO needs to carve out the time to keep abreast of the complete cyber landscape as well as the organization’s landscape, and to understand the organization’s capabilities and current operations, a CISO “has to be a master of all trades.” A CISO role is all-consuming and the scapegoats will be the ones who can’t manage time or financial obligations effectively.

All you have to do is change everything you are

Despite the fact that the CISO role has been around for several years, and the position is theoretically part of the executive team, many CISOs are kept at arms’ length. Meeuwisse says this is due, in part, to the newness of the role. “Most executive roles are well established, everyone’s clear about what they do.” The CISO model doesn’t fit the deep-rooted executive model at all. Even within the security community, not all companies have come to a consensus on where the role fits and to whom the CISO reports. The other thing that makes the executive team nervous, according to his experience, is the speed at which the CISO is becoming more critical to the business. Executive team and board meetings no longer occur without discussion of the organization’s cybersecurity posture, and many business executives aren’t yet comfortable with the inclusion of managing the “unknowns” as part of overall organizational strategy. This keeps the CISO slightly apart from the rest of the team and makes him/her an easy scapegoat when data is lost or systems are breached. An executive dealing with more established risks is wont to believe that all of the warning signs were present and that a CISO—along with her team—could have prevented a breach if they’d just been paying more attention.

Meeuwisse sees the CISO role evolving rapidly in the near future. The rapid rise to the top isn’t over, and a CISO who wants to hang on to their position will need to acquire more efficacy.

“Skills-wise, you’re going to have to be someone who is continually learning, and you’re going to have to be incredibly familiar with all the fundamentals. You’ll also have to be extremely business oriented,” advises Meeuwisse. The CISO is a business position, and even though a CISO will have to keep his technical acumen up to snuff, the security team can help in those areas while the CISO integrates better with the executive team. Today’s CISO knows information security inside and out. Tomorrow’s CISO, posits Meeuwisse, is someone who also fundamentally understands the business, can find and retain exceptional staff, manages resources well, and can show how the organization’s security approach may be used to create efficiency, trust, and value. In this regard, the CISO will become akin to the CFO, someone who can prove and itemize risk in a way that allows the business to move forward rather than staying mired in the latest security headlines.

To get to this level, Meeuwisse reiterates, “be brilliant on the basics and apply them.” So many of the major, headline-grabbing breaches, he points out, were a failure at a fundamental level. Organizations can’t afford, literally and figuratively, to keep allowing that to happen. Lock down default passwords. Don’t ignore alerts. Have humans look into incidents. Master your threat intelligence reconnaissance. The gaps in security are always quite notable—at any company—and the CISO of the future has a robust, reliable team that can cover the basics while she manages up the chain. When it comes to the uncomfortable and significant decisions—and every CISO has them—the CISO needs to know how to surface risks appropriately and remove subjectivity as much as possible. This clear-headed, risk-focused executive isn’t one who is a scapegoat, but a true business leader.

Doctor, doctor, won’t you please prescribe me something

When asked the inevitable, “What’s the best thing a CISO or future CISO can do to set her/himself up for success,” Meeuwisse replied that he’d learned to fly a helicopter. Perhaps not the most conventional route to improving leadership skills, doing so allowed him improve multidimensional thinking. “If you move one control [on a helicopter], you have to move three or four other others,” he explained. Isn’t this metaphorically and literally akin to how cybersecurity and business interoperate?

While flying persnickety aircraft isn’t for every security professional, CISOs should engage in activities that expand critical thinking and allow him or her to face business opportunities head on. Great security is an enabler, and successful future CISOs will be the ones who are entrepreneurial. Skills can be acquired in a fun, interactive way, but the key is to acquire them now rather than waiting until you’re seeking your next job, either because you want to move on, or you’ve become the corporate scapegoat.

In closing, Meeuwisse offered, “Keep in mind what’s coming down the track. It’s amazing how often people are blindsided by things that aren’t that far off in the future. Stop aiming to deploy yesterday’s security tomorrow.