Indeed, mega-retailer Target didn’t even have a CISO at the time of its catastrophic security breach in December 2013, which compromised up to 110 million customer credit and debit cards and led to the “resignations” of the CEO and CIO. The company finally hired a CISO in June 2014.
That suggests that the CEO and others higher up the executive food chain may not understand the role of the CISO as well as they do other C-level positions that have existed for decades.
Clark said the chance of friction at the C-level is greater not just because the CISO is a relatively new role, but also because it is that of a change agent, “because the threats and the way risk is addressed is evolving. This is why it’s important for them to be consulted, engaged and an ongoing part of the business.”
And Frymier contends that another reason for that lack of understanding is because most CISOs are not structurally part of the C-suite anyway. “In many – if not most – organizations, the CISO reports to the CIO who reports to the CFO or COO, who reports to the CEO,” he said. “This person is thus at least two levels removed from the C-suite.”
Whatever the structure, those in the field agree that it is mostly up to the CISO to explain that role and how it can enable both the effectiveness and security of the organization.
“CISOs need to learn new skillsets, understand the greater business dynamics that drive the enterprise and be able to communicate effectively to other C-level executives,” Wysopal said. “It’s about being recognized as a strategic asset to the company.”
Anagnos said he believes most CEOs take security seriously, but need to have questions like: “What is the risk?” “What is our current security posture?” and “What to do?” explained and answered clearly by a CISO.
And then there is the “convenient scapegoat” perception. While it is clearly a pejorative term, it seems reasonable to ask why the chief of security shouldn’t be held accountable for security breaches. Isn’t that what the job involves?
It’s a bit more nuanced than that, according to Lyons, who noted that the ThreatTrack survey found that a significant percentage of executives believed CISOs should be held responsible for security breaches, but, “should have limited say in acquiring the technology and resources to prevent them.”
In other words, hold them responsible, but don’t give them control. “That mentality demonstrates that many in the C-Suite still do not understand the role of CISOs and the value they can bring to the table,” Lyons said.
He agrees that, “CISOs should be accountable for their policies and performance. However, it is important to keep in mind that a data breach in and of itself – with today’s rapidly evolving threats – is not necessarily evidence of negligence or faulty strategy,” he said.
Wysopal said in some cases, the CISO should go, if there are, “overall failures of a program.”
But he and others note that, “like any critical business function, a security program is made up from a blend of people, process and technology, all of which need to operate together while evolving to keep pace with an ever-changing threat landscape.”
Ultimately, for a CISO to get, and maintain, respect will take what Frymier calls a “two-way street” of communication. The CISO will need to make the business case for security measures, but CEOs need to create a climate of respect for security throughout the organization.
Too frequently, he said, “organizations create a CISO position to ‘check the box’ that they have one. If the funding isn’t there to create a real information security program and an adverse event happens, it’s easy to take the symbolic gesture of firing the CISO because he’s just a lone person.”
That is why, Clark said, it is crucial for a CISOs to build a relationship with the entire executive team – especially if it is during a time of transition.
“The perfect model of a CISO who has survived and thrived is one who focuses on the relationship first,” he said.
“The most successful enterprise-level CISOs are not just entrenched in technology and operations. They are savvy executives who know how to build relationships with other C-level executives and get things done. From there, the respect usually follows.”