Vocation, Vocation, Vocation

such talented CISOs as Bob Wynn, Gail Griffith and Bill Spernow have plumbed the depths of a persistent lack of institutional seriousness about information security

July 01, 2004 — CSO — On our cover this month we show a trio of highly competent, yet disillusioned security executives who have stubbed their heads against not the glass ceiling, exactly, but more like the pro forma ceiling or the hypocrite ceiling. Or the just-plain-ignorant ceiling. For a variety of reasons, into which Scott Berinato's story (Locked Out) delves, such talented CISOs as Bob Wynn, Gail Griffith and Bill Spernow have plumbed the depths of a persistent lack of institutional seriousness about information security.

As of press time, they're out of work.

Well, maybe not altogether out of work. What they're out of are the kinds of jobs they're best suited to perform, that engage their passion and commitment and expert understanding of risk. Griffith is selling real estate, where the dominant risk is dry rot in the footers and sills or a bad location, location, location. But like Wynn and Spernow, she keeps on looking and hoping for something that, in Spernow's words, will amount to more than being a "paper tiger." (In the most extreme examples of this phenomenon, it appears the CISO position has been created so that someone can check off a box on an audit statement.)

This is not an encouraging picture. And yet there is reasonand useful precedentto suggest that it may be a simple case of growing pains. In the early days of the CIO profession, the title was often bestowed months or years in advance of the role's ultimate maturation within organizations. So you had situations where the CEO read an article in the Harvard Business Review or Newsweek that touted the importance of information technology and the need for its high-level governance. And so a bunch of newly minted CXOs sailed forth into what were essentially lose-lose positions created in the midst of skeptical Other O'swho looked like nothing so much as circling sharks. Many CIOs complained that they were functioning as glorified directors of the data-processing department and that they enjoyed zero institutional (or collegial) support.

In that light, consider the case of ex-CISO Terry Williams, in Berinato's story, as he seeks a new job (now that his old one has been "dissolved"): "Mostly, they're looking for router and firewall jockeys."

So, where is the way out of this undermining dilemma? As I have insisted before in this space, the main political priority for anyone whose work is so grossly misunderstood is to manage the expectations of the Big Dogs. What must you do once you figure out that the BDs think the job of their CISO is to (a) keep bad things from ever happening; (b) scratch some board of directors' itch about security-related liabilities; (c) never interfere with another executive's untrammeled right to do whatever he or she wants without regard to security implications; (d) spend no more than a pittance; and (e) do all of this without any real authority or BD-level support?