This, believe it or not, is a “year end” post above all, with food for thought going into 2016. So here goes.
CISOs are an in-demand bunch. Well, that’s what the media tells us, anyway. Here are some examples of articles that suggest that CISOs are highly sought after:
In High Demand, CISOs Need Boardroom Skills to Succeed
Cyber Security Attacks Spike Demand for CISO Talent
As Cybersecurity Concerns Grow, So Does Demand for Healthcare CISOs
The Rise in the Demand for CISOs
And so on and so on. I think this is reasonable – many organizations are feeling pressured to put someone in charge of information security, and charting and leading a strategy in this area is obviously important to the long-term stability of our increasingly-connected business endeavors. However, I think the security community itself is a bit deluded in terms of where the CISO role will ultimately sit within the organization, and how it’ll be perceived. How many conference tracks and talks have you seen that discuss how CISOs can “get a seat at the business table”? Are we not taken seriously!? Are we undervalued?!! Based on my experience, I don’t actually think so. What I DO think is that we may have unrealistic expectations about the level CISOs should attain in the corporate hierarchy.
To get straight to the point – I don’t believe most companies will EVER elevate CISOs to actual C-level positions. I did a bit of research to see whether any of the world’s largest companies publicly listed their CISOs on the site. The short answer (for the top 10 companies listed on Wikipedia’s biggest company by revenue) is no. Nope. Not a one. Here are direct links to the top 5, just in case you feel like checking:
It seems like that “C” in the title is really an indication of being the head of the security function, but this security function is not valued at the same level as that of the financial, legal, operations, and overall technology areas within the organization (among others). The great news? That’s actually fine. It’s time to craft a more realistic and effective view of this advisory and support role, and put the ego to the side. Malcolm Gladwell’s book “The Tipping Point” has a lot of wisdom we can draw from.
First, Gladwell defines something called “The Law of the Few”. What he’s arguing is that 20% of the people in any given field or industry actually get the job done and advance causes, while the others tend to follow. These “few” fall into three major categories:
- Connectors: They know and connect people to accomplish goals
- Mavens: They are helpful and solve their own and others’ problems
- Salesmen: They persuade and negotiate with charisma
As a security professional, I think knowing where you naturally fall is key to the success of both the security program at your organization, as well as your own continued career trajectory. Gladwell also defines the “Stickiness Factor” in the same book. This is the quality that compels people to pay close, sustained attention to a product, concept, or idea. Stickiness is hard to define, and its presence or absence often depends heavily on context. Often, the way that the Stickiness Factor is generated is unconventional, unexpected, and contrary to received wisdom. So again, another question: how will you get your point across, and make it “sticky”? In my last post, I argued that the “sky is falling” breach argument is weak. Given this, what will you do to make your impact?
The final Gladwell concept in the Tipping Point that I’ll drag out here is the idea of “the power of context”.
Context means the following:
If the environment or historical moment in which a trend is introduced is not right, it is not as likely that the tipping point will be attained.
Is the context right for business leaders right now?
I think this should be a major goal for many of us in 2016. Whether you’re a CISO, an aspiring CISO, or just an in-the-trenches security person, you need to decide what your best means of influence might be, how to make your message impactful, and whether the time is right to be a bit more dramatic in your approach. Should you use “shock and awe” with pen test or red team results? Or try using back room politics? Both?
I think security has a bit of an identity crisis. We’re told we’re incredibly important by the media, but that doesn’t always get reflected in job titles and “clout” in our organizations. We get paid well (w00t!) but still often feel as though we could get a little more respect. In a bank, you can be a junior admin and still be the VP of something-or-another. In most other industries, though, you MIGHT be called a CSO or CISO, but the reality is that many are not real top-level execs. Does it matter? Maybe not. If you can influence, that’s the goal, regardless. We have a lot of work to do…so let’s figure out how best to get it done, titles and prestige aside. Here’s to an awesome, and more secure, 2016!