twitter facebook rss

The CISO and the thin ice syndrome

Posted by on October 16, 2015.

FierceHealthIT magazine recently ran an article that commented,

Almost half of C-level executives throughout all industries lack confidence in their chief information security officer (CISO), often viewing him or her as a scapegoat when data breaches occur, according to a recent survey.
C-suite execs often see CISOs as cybersecurity scapegoats

That resonates. Insights first came across this idea talking to a CISO member of Wisegate. “Of course,” he told us, “the CEO first created the CIO when IT became a critical part of the business. He needed a scapegoat in case things went wrong. But then, when infosec equally became a critical part of the business, the CIO created the CISO for his own scapegoat.”

In reality, a lack of trust is felt on both sides. If the Board views the CISO as a scapegoat, then the CISO is equally aware of being in a precarious position. At a recent Wisegate roundtable discussion among more than 20 senior CISOs, fully 50% admitted to having felt they were ‘skating on thin ice’ on at least three separate occasions when talking to the Board.

The problem is that a CISO is almost by definition a harbinger of bad news — and bad news messengers frequently get the bullet. It would seem that the Board is ready to deliver that bullet, while the CISO himself already half expects to receive it.

This delicate balance between Business and Security probably goes some way towards explaining the volume of breaches occurring today. On the one hand, keyed up by the optimism bias (the tendency to believe that bad things only happen to other people) and not trusting Security anyway, the Board is heavily inclined to ignore the CISO’s message. On the other hand, the CISO will be circumspect in delivering the brutal truth about the company’s security for fear of losing his or her job.

The result is that the business might only get the security the CISO thinks he can get away with, rather than the security the company needs. And that will leave the company exposed.

But if the company is exposed, it is more likely to be breached. And if it is breached, the scapegoat CISO will be sacked anyway — after all, it was his job to prevent the breach. The CISO cannot win. He has difficulty in getting what he needs to do his job, and he gets sacked if he doesn’t do it.

CISOs need to be lightfooted dancers as well as heavyweight technologists. They need a degree in psychology as well as an MSc in infosecurity in order to deliver bad news in an acceptable manner.

But there is a solution. CISOs need to create a paper trail that exonerates themselves. When a risk or weakness is discovered it must be fully documented before presentation to the Board. The presentation then becomes less an ultimatum (you need to do this!) and more a simple question: ‘are you happy to accept this risk?’

If the Board accepts the risk and does nothing, and a breach occurs, the CISO is protected. If the Board is not willing to accept the risk, it will give the CISO approval to make that risk go away.

There’s an example of this process at Target. It didn’t have a CISO at the time of its breach – its security was being handled by the Operations VP. His team recognized a vulnerability and documented that vulnerability. Leadership decided to accept the risk rather than pay for mitigation, and the breach happened. Neither the CIO nor the CEO survived; but the VP Operations in charge of security kept his job.

Of course, the CISO may have a Board that simply refuses to accept a risk analysis report. In that case, the CISO has little option but to accept reality and move on to a new position with a new company.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights | Tags: