Who wants to be a CISO these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have? And where do you go from there? (what’s the step after next? … always the most important question in terms of career development)
Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.
The same title often hides a large diversity of roles, positioned differently across their respective organisations. It often reflects the maturity of each firm towards the appreciation of the threats it faces, the need for business protection, and its appetite for controls.
For large groups, in particular where business units or geographies manage their own bottom line and have a significant degree of autonomy in real terms, it can result in a large population of security practitioners across the group with very diverse approaches, objectives and priorities.
A painfully recurrent complaint among Chief Information Security Officers (CISO) is the disconnect between what they were promised during the recruitment process, and the actual situation they find upon starting the job.
Indeed, it is quite common to hear freshly-hired CISOs blame their less-than-smooth transition into the role on “broken promises” (some explicit and some simply assumed) such as inadequate resources or insufficient attention dedicated to cybersecurity by key stakeholders.
The right reporting line is the one that works. Period.
Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved.
The GDPR is not just about Security, but it has been dominating the life of many CISOs since last year.
The last SASIG meeting in London on 8th May 2018 examined the role and career of the CISO. It is hard to walk out of an event like this one not feeling that a number of things are seriously going round in circle in the security industry.
So … May 25th came and went, quickly followed by the football world cup and a heatwave which wrecked most of Europe and many other parts of the world …
Around GDPR, bureaucracy claimed birthrights over the act and things went back to normal: Snake oil vendors packed their stalls and alleged experts headed for the beach … The anti-climax was predictable, and we are still going through that phase where all players are expecting regulators to set their first fines and wondering “where the big one is going to come from”.
Driving security transformation is becoming key; not justifying investments
The age-long debate around security metrics and dashboards seems very much alive within the CISO community. But it is often positioned in an outdated historical perspective.
For many CISOs, it seems to be still about “justifying investments” or articulating some form of “return on security investment”.
It is being challenged by emerging new regulations such as GDPR, which are impacting all industry sectors, and the arrival on the scene of the new role of the DPOin many firms.
There is some form of management reality beyond the “100 days” journalistic cliché: How does an incoming executive make an impact in a new role? What are the real timeframes to look at, and what can be expected and over what horizon? What are the key issues that should raise a red flag during the first few months in a new senior position? and those which can be ignored?