alphaspirit - Fotolia
Over the past three decades, I've learned that work experience and titles mean little in terms of business relationships. While, on the surface, a strong resume or a C-level title might shape opinions and engender respect, a title isn't enough. I have rarely seen people struggle more than those in information security leadership positions -- primarily, CISOs. Having consulted with CISOs and knowing friends and colleagues who have held this role, I believe there's a lot of room for opportunities and growth despite the pressures of being a CISO.
At the heart of many CISO challenges are the following issues that fall outside containing actual breaches:
- the ability to get initial buy-in from fellow executives on security strategies and initiatives and how they support the business;
- how to maintain the necessary political and financial support to see initiatives through; and
- the lack of CEO or board support to utilize the true spirit of the CISO role instead of using it as a figurehead or as a scapegoat when an incident or breach occurs.
Why credibility trumps all CISO challenges
Changing the perception of the CISO role isn't easy, but it can happen over time. Approaching CISO challenges from the perspective of doing the best you can with what you have, CISOs need to focus on credibility more than any other thing.
Credibility is hard to define and even harder to quantify, but people know it when they see it. It's all about trust that's established -- not just by doing what you say you're going to do and doing it well, but also going out of your way to help others meet their goals. It's easy to forget, especially in information security circles, that people want to interact and do business with people they trust.
CISOs can't just blame everyone else for not getting security. Every story has three sides -- yours, theirs and the truth -- so it helps to reflect inward. One of the long-standing struggles of information security is the perception of security versus everyone else. This means security can be perceived as the network cops: security representing the barriers to getting work done and security being the bad guys in people's minds. Originally a challenge for network administrators and IT directors, these perceptions have grown with the security function and are now added to the list of pressing CISO challenges.
CISO credibility killers
I've seen CISOs make questionable decisions due to political expedience or for selfish reasons. Here are some examples of credibility killers:
- sending a message that all things security start and stop with security staff;
- having questionable relationships with vendors or spending security money that doesn't need to be spent;
- bending security oversight rules and demonstrating flexible principles that depend on the situation;
- throwing subordinates under the bus to make it look like an incident or breach was someone else's failure;
- talking a big security game at work while playing it down when rubbing elbows with fellow executives on the golf course in order to remain in their good graces; and
- delegating security tasks to staff members and then hanging on to the work in order to stay in control.
Of course, these credibility killers aren't unique to CISOs. Most people have witnessed things like this in various business settings. But, given the fragile nature of the CISO position in the business, any such missteps can be amplified and hurt overall efforts compared to other nonsecurity roles.
I don't envy anyone working in a CISO role. The struggles are legitimate, and there's no quick solution. For years, I've seen executive management getting in the way of security and people outside security making security decisions. Still, security professionals are complicit largely because egos often guide the way. The belief that technical staff know everything about information systems may have worked in the past, but that ship has sailed.
How to build CISO cred
If you're already a CISO or working your way up to that position, do what you can to remain humble and trustworthy so you can build your credibility over time. It's not going to happen overnight, likely not even in a few years' time. You become a credible person over the long haul through both wins and losses -- through the good and the bad. As a CISO, your credibility test isn't selling executive management on a big security project -- nor is it once an incident occurs. Instead, it comes through the little things -- the interactions you have and the decisions you make on a daily basis.
Take the time to notice how things work. Study sales. Study influence. Do what it takes to rise as a leader and remain a leader. Most importantly, do what you know is right. Remember security is not your top priority as a CISO. Instead, IT and security support the business and all of its functions. In order to survive, you must hone and protect your credibility. It's really all you've got.