olly - Fotolia
Published: 01 May 2017
By its most recent measure, the Ponemon Institute shared research in 2014 that indicated that the average tenure of CISOs is 2.1 years.
Why so short? There were two proposed rationales. The "wanderlust theory" held that qualified candidates for the role of CISO were in such high demand, according to Larry Ponemon, chairman and founder of the research group, that they were lured to another company that paid more for the position. Ponemon said some CISOs likely made two or even three jumps to higher-paying positions if they were really qualified.
The other theory behind the two-year tenure: When security problems occurred, the affected companies needed someone to blame, which resulted in the CISO's departure. The research data was compiled over several years and based on numerous surveys from mainly U.S. sources.
There's not always a CISO on hand to play the scapegoat, though. Ponemon found that in organizations of more than 1,000 employees, 40% had a fully dedicated CISO, 16% had a partially dedicated CISO and 44% had none. The role of CISO, in some cases, was shared.
"You're not going to find a company that does not have a CFO or CIO, so not having a CISO may indicate that we are not getting enough respect," Ponemon said at the time.
In the years since the Ponemon research, the responsibilities and influence of the CISO role still vary widely, based on the industry and specific company. Yet a few notable changes have occurred.
More first-time CISOs
Suzanne Hall, managing director in PwC's cybersecurity practice, said in the highly regulated industries such as financial services, you are going to see a dedicated cybersecurity person, typically a CISO reporting into IT -- the CIO -- or risk officer or general counsel. "In other industries, it is a mixed bag.
John Pescatoredirector of emerging security trends, SANS Institute
"What we are seeing is either a clearly defined CISO in enterprises or enterprises are looking to quickly create a similar role. And I think the importance of the role and the elevation of the role in order to have an impact on an organization's policies and programs is growing in recognition," said Hall, who began her cybersecurity career at PwC, a professional services network headquartered in New York, and then worked in the industry as a CISO and CIO at several organizations, including the American Red Cross.
At the Fortune 5000 level, some companies still do not have the role of CISO, and many that do have employees who are the first-time holders of the CISO title. "At the high end of medium-sized business and the low end of large-sized businesses in the Fortune 5000, we are definitely seeing first-time CISOs," said John Pescatore, director of emerging security trends at the SANS Institute, based in Bethesda, Md. SANS is training information security and business people who are moving into their first CISO job, and for many, it's also the first time that the company has had that position.
"It has reached the midsize-level company, the recognition that just as you need a chief financial officer to protect the company from financial risks, you need a chief information security officer to protect the company from cybersecurity risks," he said.
Sometimes less is more
The majority of CISOs report to the CIO, and security budgets largely remain part of IT. Some of the companies that spent the least on security have the best security track records, however. In some cases, such results can be traced to the CISO's making sure the right things were getting done.
Pescatore noticed an interesting trend during his 14 years prior to SANS, when he served as Gartner's lead security analyst: Within vertical industries -- financial services, healthcare, manufacturing -- companies all spent about the same percentage of revenue on security. In some industries, it was 6% of the IT budget. In highly regulated industries like financial services, it was 10% on average, with some at 8% and others at 12%, for example.
Two banks with similar profiles, in terms of revenue and customer bases, did some benchmarking, he recalled. Bank A had 100 Windows images in use on its desktops, while Bank B had far less. Bank A had to spend more on security because its desktops were harder to patch, the patches didn't always take and the security team had to spend more time on malware. Bank B got its Windows images down to a dozen images and, with configuration management, was able to spend much less on vulnerability management and other security measures.
"Within an industry like banking," Pescatore said, "they don't spend that differently, but the one spending less was more secure."
Jim Routh, CSO of health insurer Aetna Inc., headquartered in Hartford, Conn., got the CIO and vice president of application development to invest time in reducing the number of software vulnerabilities in the applications they developed. The strategy -- discussed here -- increased developer productivity and reduced time to market. And it didn't cost the security program any money. It was a matter of getting the IT organization to do things differently.
A valuable skill for CISOs is the ability to work within the company to get change to happen across the organization -- including finding some savings on security spending, according to Pescatore. And then CISOs can say, "Here are things that are going to be happening next year, and the year after, that we need to be thinking about now."
"The key is for the security activity and budgets to respond to the threats and the real-world scenarios organizations are facing," PwC's Hall said. "How can you separate the budget for security, if you will -- what needs to be built -- separate that out from the continuous downward pressure that a typical back-office organization is facing every day?" This is especially true as the number and types of threats increase, and organizations continue to expand where their data resides and who it is shared with, including complex cloud, service delivery and supply chain relationships. The security organization and the technologies cannot stay stagnant in the face of that dynamic change. "It is important for people to look at [the] security budget separate from the overall IT budget."
The risk issue isn't just an IT issue, Hall added. CISOs need to have a dotted line to the corporate risk office and communication with other executives, whether it is direct or indirect.
Getting involved earlier
Most organizations' supply chains have gotten more complicated. As a result, the CISO has to be a lot more involved in supply chain security. That means making sure that security is considered when the company is choosing business partners, monitoring and accessing the risk of suppliers -- and their suppliers.
DevOps is another example of how security can get involved early in the "food chain" and involve users upfront, according to Pescatore. The CISO skill set includes the ability to work across the company, becoming involved in procurement decisions, the vetting of third-party suppliers and, similarly, all software that is built. "It's too late if you wait until the software is put on the website," Pescatore said. "The security sprint should happen when there is a coding sprint."
Less 'blood in the streets'
The most successful CISOs are the ones who understand how their corporate governance works. They are able to express the benefits of avoiding risks in the terms of the business to executives and boards of directors. With Aetna, for example, the "benefits" were higher productivity for developers and faster time to market for the company's products, not fewer software vulnerabilities.
"Security guys are great at talking about blood in the streets -- all this scary stuff," said John Pescatore, director of emerging security trends at SANS Institute. He called it the No. 1 complaint he heard from boards of directors: "We don't need to be scared; we read the news -- we are scared at home using our own computers. We need to get confidence and trust that this person with a C in their title has a strategy for helping us avoid the blood in the streets." It is important to convince the board that you have a strategy to get the company through "dangerous times."
CISOs should also understand the motivation of the CEO and the board. Joshua Davis, CISO at Qualcomm, joined the National Association of Corporate Directors and reads their guidebooks so that when he communicates with the board, he is speaking the same language.
With roughly 75% of Fortune 1000 CISOs addressing the board at least quarterly, Pescatore is alarmed at the second biggest complaint he hears from directors: "CISOs don't speak our language. And, in fact, each quarter, they seem to speak a different language." It's not hard to research your CEO and board so that you can understand how they talk and how they listen, he said. --K.R.
When it comes to the in-house development of complex applications, bringing in the CISO to protect a product that is already architected and half deployed is going to end up frustrating the security team. The security team is going to have limited options in terms of how they can work with the development and operations teams. The key position in many organizations is having the security architect reporting into the CISO. They work with the infrastructure architects and the application architects to build security into those different environments. They also can work with the business so that security is viewed as a true partner and not a hindrance to progress.
It is important that the CISO not be seen as the "CIS-no," Hall said. "The best CISOs that we work with are focused on, how do you create an environment of getting to yes? Really, the strategic way to get to yes is to build security into the conversation early on."
Is there an understanding of what it means to do a good job in the role of CISO? Is it universal across an industry or within different companies? How is success measured in this cybersecurity career?
"In many organizations, defining what success looks like for cyber and a CISO can significantly vary depending on the company and the threats that it faces," Hall said. "But I think there is a growing acceptance of some key tools that can be used for organizations to track their progress and measure their success over time as well as report out to their teams and boards of directors." For organizations that adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), it is a consistent process that helps them align their program based on risk, define what their current capabilities are and then track that over time. "A lot of the boards of directors, they are learning a lot from the NIST and CSF," Hall said. "It also helps organizations figure out what is reasonable and appropriate for their security program."
Organizations need to measure their ability to respond to security incidents rather than their success in avoiding them, she added. "It is likely we are going to have an incident, and we are going to try to minimize any fallout from the incident."
Why CISOs really leave
Two-thirds of CISOs are leaving their current role of CISO because they can get a higher paying job, according to Pescatore. Some CISOs join startup security companies or go to work in high tech.
"I think it is a very attractive position for people who enjoy the challenge of mixing business and technology together," he said. "At the same time, it is not without its risks. CISOs do get fired with these big breaches, but CIOs get fired when the SAP system is three years late. … The opportunities for these jobs for more money, or less money and more fun, are unlimited. I would say, in general, it's a great profession for doers."
Finger pointers may want to seek another profession, however. "You are expected to change things and not just say, 'Well, we told people not to do that.' You don't see a lot of auditors becoming CISOs," Pescatore said.
Are cybersecurity careers catching on with younger generations?
Learn more about CISO training and transition programs
Surviving the demands and spotlight of the CISO job