Friday, May 15, 2009

Do Companies Need a CISO?

Is there a future for the security executive? It's hard for me to completely objective about this because I have some skin in the game. No one wants to wake up one day and realize that their job is going the way of the elevator operator.

Chief Information Security Officers (or whatever title they give the executive level security person) started to really take off in the early 2000s. Usually working with a small staff and small budget, the CISO is meant to drive all information security functions within a company and affect change across the enterprise. Especially after 9/11, the creation of a CISO office became de rigeur for companies eager to demonstrate their commitment to security and public safety.

But lately I get the feeling that the role of CISO is in decline. This may seem heretical coming from a security executive, but I believe that the information security risks enterprises face have been exaggerated and misunderstood. The security industry is itself in large part to blame. The industry overhyped threats and demanded too much time and money to mitigate risk. Companies went along by buying expensive security equipment and hiring lots of security staff. But now some companies are starting to wonder -

Do We Really Need A CISO?

A company usually hires a CISO when they believe that two conditions are met - (1) security is a uniquely pressing and urgent need within the organization, and (2) a dedicated office and executive is the best way to adequately address the security issue. 

But does every company actually need a CISO? Are both (1) and (2) true of every company? The sneaky italics in (1) are a hint of my personal take on this - no for (1), and for (2). A minimum level of security is of course always necessary, as are functioning toilets, basic physical security, workplace diversity, and a hundred other issues that do not have their own dedicated teams. But a unique need more important than anything else? Perhaps for a bank or a hospital, but not for a widget maker. 

But wait! What about "the competitive advantage of security" and "the ROI of security"? So at the risk of some bubble bursting, Security does not necessarily have either competitive advantage or ROI to many businesses, even big businesses. And even when it does, a CISO is often unnecessary in an enterprise with low security requirements. Security responsibility can be assigned as just another task to a CIO or other executive.

Which brings me to a phrase I coined a while back (or at least will take the credit for coining) -security narrative. A company's security narrative is the overall story of how it handles security - basically the kind of information you would give the CEO of a potential customer if they asked what your company does for security. A CISO's job is to own the overall security narrative in an organization. 

Whether your company needs a CISO is essentially a question about whether your company needs a full time executive to own and manage its security narrative.  Not every company has a Chief Privacy Officer, a Chief Continuity Officer, a Chief Blogging Officer (yes, that one exists). But if privacy, continuity, or blogging is critical your company, you will have that CPO, CCO or CBO. It works the same with security. So how many companies actually do need a CISO?

500 CISOs at the Fortune 500? Je pense que non...

One of the speakers at RSA last month claimed that all Fortune 500 companies now have a CISO. This seems highly unlikely. But even if it's true, this is probably more a reflection of title inflation than anything else. If we define a CISO as someone who is responsible for managing security but who is not operationally involved, I suspect there are a substantial number of Fortune 500 companies without a CISO. An employee who spends a substantial part of their time configuring firewalls or managing the people who configure them is by definition not a CISO.

Let's take a break from the doom and gloom. Despite everything you've read so far, there are still a large number of companies that need a security narrative and need a CISO to own it. For these companies, the CISO function will become even more prominent in coming years. And these CISOs are as hard as ever to find...

It Ain't Easy Finding a Good CISO...

What makes a good CISO? In descending order of importance - 

  1. The ability to affect change.

  2. An understanding of how business processes and information interact.

  3. An understanding of the technologies used in your organization

  4. An understanding of legal and compliance issues.

These skill sets are not in and of themselves so unique - any executive in a technology driven company needs a bit of each one. The tough part is finding someone who has all four skills and is actually interested in information security. 

Oh wait - we're not done whittling down the list of potential candidates. Security to most organizations is and always will be a tax. Being the custodian of this tax function will never be as sexy as selling or building or whatever it is. There's many a qualified potential CISO who ends us getting enticed into more glamorous (and profitable) sides of the business.

Some Other Recent Thoughts On This...

Some people talk about Chief Risk Officer being the next generation of the CISO function. I don't buy this. Everything a company does involves risk, and there's only one person who is ever going to be really responsible for managing all enterprise risk. That's the CEO. 

The Verizon Business Security Blog has an interesting piece about how cloud computing is going to reduce the CISO to a custodian of vendor relationships (or "gracefully lose control"). 


  1. I wish my old boss would read this.

    It is sooooooo spot on.

  2. I think that all companies should have their own chief information security officers so they can secure any data or information they have.



Note: Only a member of this blog may post a comment.