The “When-Not-If” paradigm around cyber-attacks is changing the deal completely around cybersecurity.
Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it.
Many CISOs complain of communication problems with their business. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.
It has been a recurring theme amongst information security professionals for the best part of the last 15 years, and it is rooted in a wide range of factors, amongst which the profile of the CISO is often a dominant limitation.
Who wants to be a CISO these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have? And where do you go from there? (what’s the step after next? … always the most important question in terms of career development)
Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.
The same title often hides a large diversity of roles, positioned differently across their respective organisations. It often reflects the maturity of each firm towards the appreciation of the threats it faces, the need for business protection, and its appetite for controls.
For large groups, in particular where business units or geographies manage their own bottom line and have a significant degree of autonomy in real terms, it can result in a large population of security practitioners across the group with very diverse approaches, objectives and priorities.
A painfully recurrent complaint among Chief Information Security Officers (CISO) is the disconnect between what they were promised during the recruitment process, and the actual situation they find upon starting the job.
Indeed, it is quite common to hear freshly-hired CISOs blame their less-than-smooth transition into the role on “broken promises” (some explicit and some simply assumed) such as inadequate resources or insufficient attention dedicated to cybersecurity by key stakeholders.
The right reporting line is the one that works. Period.
Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved.