What Melissa Hathaway Faced is Endemic for All CISOs and Cyber Czars

Melissa Hathaway stepped down this week in her role as the White House’s acting cyber security czar. Let’s align her brief trials and tribulations with those that CISOs face every day in a ‘read between the lines’ view:

According to informed sources, Melissa was “spinning her wheels” “(GETTING NO SUPPORT) as the president’s (CEO’s) economic advisors (CFOs) sought to marginalize (CONTROL) her politically (ECONOMICALLY).

Cyber security is “a major priority for the president (CEO),” White House spokesman Nicholas Shapiro said, adding that the administration (COMPANY) is “pursuing a new comprehensive approach to securing America’s (THE COMPANY’S) digital infrastructure – (AS LONG AS THE CFO APPROVES)”.  In the search to fill the top cyber post (CISO ROLE), “the president (CEO) is personally committed to finding the right person for this job (SOMEONE WHO DOESN’T MIND RESPONSIBILITY WITH NO AUTHORITY), and a rigorous selection process is well under way (MAJOR PSYCH TEST TO SEE WHO DOESN’T MIND PLAYING THIRD FIDDLE),” he said.

She lost favor with the president’s (CEO’S) economic team (CFO) after she said it should consider options for regulating (ENSURING PROPER SECURITY IS IN PLACE) some private-sector entities to ensure they secure their networks (DO WHAT THEY SHOULD HAVE DONE ALREADY), said cyber security specialists (TEAM MEMBERS HOLDING ONTO THEIR JOBS) familiar with the discussions.

The result was a cyber security official (THIRD FIDDLE CISO) who would report both to the National Security Council (PHYSICAL SECURITY) and the National Economic Council (CFO). Supporters (PHYSICAL SECURITY AFRAID OF HER ROLE TAKING OVER SOME OF THEIR RESPONSIBILITIES AND THOSE IN THE CFOs WHO DON’T WANT TO PAY FOR IT) said that arrangement would cement cyber security as a critical security and economic issue (AS LONG AS WE CAN CONTROL THIS ROLE – NO ELEVATION TO THE RIGHT REPORTING STRUCTURE);

What Melissa faced is what CISOs the world over face. Corporations don’t know what to do with the role of the CISO and the position of the CISO within the corporation.  They certainly don’t want the role reporting to them since there is then no filter, and as we who have been in the role know, there are multiple filters that prevent the real message from reaching its intended audience.  In parallel, the Obama administration is acting in much the same way as corporations. Until such times as corporations and the government understand the role, the CISO will be relegated to a backseat reporting to multiple masters; the masters who wish to control and manage the position in their view. A view that does not understand what cyber security really is. The role needs to be elevated to a direct report of the President (CEO) and they need to start learning and listening.

If this does not occur, then cyber security will continue to suffer. Since it is not occurring, as with most everything in the U.S., it will take a disaster for people to wake up and give the position it’s due. Wake up America and let’s get the role of the CISO to the right position.