Let’s admit it, one of the toughest jobs in Cybersecurity
today has to be that of being a CISO. To
formally define, this is a role in which the designated person is hired on as
full time, with a huge salary as well as a fat bonus package. Btu behind all of this glitz and glamor, the CISO is in a position where he or
she is damned if they do and damned if
they don’t.
There is no thanking or praise in this position. The CISO is faced with a double-edged
sword: Not only do they have to keep in
pace with the other members of the C-Suite, but they are in the perfect firing
rage in front of their Board of
Directors.
They literally have to do everything in their power to
please them, because after all, their budget is literally in their hands.
The second part of the sword is in dealing with the members
of the IT Security team with whom he or she is charged with leading. Not only do they have to keep them motivated,
but they have to listen, or at least make an attempt to do so. In fact this is one of the areas that CISOs
are blamed on.
Many people feel, even outside of the IT Security team, that
CISOs do a very poor job of both listening and
communicating.
While it is up to the CISO to change their personality
traits, you can take some steps to help them listen to you better. It all comes down to understanding the language
they can understand and speak. So, this
is where you sort of have to figure out what kind of communication personalities
they have. Psychological research has
shown that there are three distinct types,
which are as follows:
1)
The Business Minded One:
For this kind of CISO, all that
matters to them (and rather unfortunately so) is the dollars and cents. While they realize they have to maintain a
strong security posture, they want to do it at the cheapest price
possible. While they make look good to
their Board of Directors with this kind of personality, it often comes with a
price: Poor security. Remember that old proverb, “You get what you
pay for”? Well, that certainly applies
to this kind of situation. Every
recommendation or idea that you come up with and present will be countered with
the question: “How does this affect the bottom
line”?
2)
The Data Compliance Minded One:
There is no doubt that Data Privacy
has become a huge concern today. To make
sure that businesses are compliant to protect their datasets, laws such as the
GDPR and the CCPA have been created as a result. If the right controls are not in place, there
are very sharp financial penalties that can be imposed. There are both civil and criminal penalties that can also be imposed. Because of this, the CISO has every right to
be afraid. After all, if there are any
problems with auditors, it will be their heads that will roll. Because of this, many CISOs have been now to
take their fear to the extreme, and become totally obsessed by this. Whie in a way this is good, because you will
at least know your business will be compliant, it is also bad because the CISO
will quickly lose sight of the other things that they are responsible for. So in one end you will have some higher levels
of protection, but on the other, your company could become more prone to
security breaches because the CISO has not been able to keep up with the latest
happenings in the Cyber Threat Landscape.
3)
The Technical Minded One:
These are the CISOs that have been brought
up in the world of Geekdom. All they
have ever held were pure technical roles, and nothing else. While you want a CISO that can understand and
speak the techie side of things, this can also be a dangerous proposition if this
is all they think about. As a result,
they cannot understand very easily the people side of things, and when they do
communicate with other employees or their Board of Directors, it is often at a
level that nobody can really understand.
Also, they will have a hard time communicating any kind of business to their
higher ups, especially when it comes to getting an increased budget. This kind of CISO personality also exhibits a
very micro view of looking at things, because they want to know about all of the moving parts that
are happening. Because of this, they can
lose sight of the big picture very quickly.
My Thoughts On This:
Keep in mind that this is not an all-inclusive list. There are other personality types that could potentially
exist, but these are the three main ones that research has proven. In an ideal world, you will want your CISO to
speak through all three of these personalities.
But it is very difficult to find a person that can understand both the technical
and business side of the Cyber world.
For this reason and
many others, many CISOs of today simply do not last long in their roles. The average tenure these days is at best 1.5
years. For this, as well as the current
economic situation, many companies are now doing away with hiring full time,
direct hire CISOs.
Instead, they are opting much more favorably to what is
known as the vCISO, where you hire a former CISO on a contract basis, for a
fraction of the cost.
But whatever route you go, keep in mind that the CISO or
even vCISO is the ultimate reporting authority for the IT Security team. If you want your ideas to be heard and even
implemented, it is important to make some good efforts and try to understand not
only if they fit in with any of the above-mentioned personality traits, but to
try to speak their language as well.
No comments:
Post a Comment