The effectiveness of CISO in today’s organizations – that is why Security Leadership is really important
2014/01/07 Dodaj komentarz
The main task of the CISO’s in each enterprise, regardless of the industry, in which it operates and the kind of business it conducts, is playing a leadership role in creation, subsequent development and continuous supervision of enforcement of the most effective information security management program possible, in the company daily operational practices. He/she does his/her job on the basis of security standards, general law regulations in force, often industry standards & best practices and – of course – his/her own unique knowledge and experience, including leadership skills. Going down to the level of detail, the role and responsibilities of CISO depends largely on the nature of the organization for which he/she works, its size and maturity level and – of course – the industry in which the organization conducts its business. Certainly, it will look differently in a small organizations doing local business, compared to large-scale enterprises conducting business internationally. In turn, CISO responsibilities in a bank or other financial institution will differ from those of its counterpart working for institutions from outside this industry. Not without significance is also the organizational structure of the company and its governance model.
The company maturity level – understood as the overall degree of its processes efficiency – not only business processes, but also widely understood support processes, related for instance to IT services and securing of information assets, certainly will have remarkable impact on the expectations in relation to CISO from senior management of the company. Additionally, demanding requirements from industry regulators and other control authorities will undoubtedly translate into reality of CISO way of performing his/her duties.
In so called „on work carried” organizations, that is those, which rely on the less mature processes, CISO activities will be probable dominated by reactive operations, some sort of „putting out fires”, while in more mature organizations, he/she will be able to focus more on the improvement of existing, steady processes and hence be more proactive in his/her daily “modus operandi”. Then, rather than “putting out fires” he/she will counteract or prevent them, of course, not diminishing at this point, the importance of security incident handling, which – by its nature – will always be more or less „firefighting”. But building the process from scratch, typical for such kind of organizations, that just start shaping their corporate security governance, is for CISO undoubtedly an invaluable experience. Such experiences tend to be much more interesting than just „consuming” benefits from governance and stable processes already built by predecessors.
How effective is CISO in his/her actions depends not only on formal roles & responsibilities profile. Both levels of security expertise and leadership qualifications of CISO play much more important role in this respect. If they occur in the proper proportion, they allow him/her to operate effectively in two different “worlds”, in which the two most important groups of internal customers used to operate.
One of these “worlds” is consisted of widely understood IT and business units professional community. To this group, the various kind of more or less technologically advanced solutions suppliers also have to be added. Here the business concepts are born. Here you can start your information systems projects. Here also technology and related expertise reigns. If you need to talk to the people deriving from such community, you should pretty often use specific, engineering language. Here you have to possess the credibility to be considered as a serious partner in a valuable discussion. The best for you to survive in this “world” is to be an expert among other experts, to gain their recognition and lead with them a dialogue on the same level of understanding. Just remember that IT people community does not trust people, who do not really know what they are talking about.
The second one is the “world” of management, including the company senior management. Here, in turn, each attempt to engage too much “cryptic”, highly technical language in dialogue ends up with a total fiasco. The managers use in everyday practice a quite different kind of dialect. If you want to „sell” to decision-makers any idea or for example obtain budget resources for some important security project, you have to adjust to that kind of managerial language requirements. Of course in this environment you also need to gain – and more importantly – later to maintain the credibility and confidence.
Here you have to be more than an “ordinary” expert or “technocrat” of any flavor. You need the show a proper, balanced approach to understand the business and to meet your internal customer’s reasonable business expectations. Guided by such kind of balanced approach, you have to be rather a sort of valued advisor, effective in recommending and selecting optimal and – at the same time – secure solutions, than “policeman” known from banning everything. Each of the recommended solutions must be of course effective to the maximum extent and simultaneously characterized by reasonable cost to benefits ratio. You have to forget, once and for all, about the “prosecutor” or “policeman approach” to the enforcement of security standards and instead of shouting loudly that something cannot be done, due to various procedural restrictions, you should rather look outside the box and search for compromise solutions that simultaneously meets business requirement and remains compliant with security standards. The mentioned earlier balance in CISO approach to enforcing security standards should guarantee however not to fall into the “rotten compromises”. This is not an easy task and can often cause sleepless nights for CISO. Needless to say, that it requires courage to sometimes go against the current, because security is not always on the same way as business, which is manifested especially in strong pressure on dazzle the market with “innovative” products, at any price (“differentiate or die”), which sometimes, as originally proposed by the „business”, is far from being secure. There is – otherwise understandable – tendency to put them often in a rush, to get ahead of the competition, but with a tendency to shorten the testing phase, including of course also shortening and limiting the scope of security tests. I don’t suggest that every innovation is insecure, but each, before hitting the market and being offered to the customer, must be accredited from the security point of view. That is a must.
Proceeding in conflict of interest circumstances always induces stress for CISO. However stress may not be an obstacle to lead to the win-win situation for the effective CISO – a leader with a strong senior management support, well known in the company from his/her „pro-business” approach in every step he/she used to take. After all, the security of the product or service, and along with it, the perception of that security in the reception of clients is at least as important as functionalities of solutions entering to the market.
The role of the CISO in the company is not limited only to the current standard managerial tasks. CISO is also the author of security management strategy in the organization, manager, responsible for a team of people reporting to him/her, the executor of top management will in terms of security, but at the same time a visionary and effective business counselor and IT security advisor.
Efficient CISO is someone who is able to effectively embed security in the broader context of organizational culture with all its practical implications. I am thinking here primarily of effectively making strong and persistent impact on behavior of all employees and management in the organization in order to make security their way of life.
In this short article I don’t want to comment on the characteristics of the perfect leader, because many very smart people commented on this already in their outstanding works. I’m interested only in more practical meaning of leadership, in a very specific, well-known to me (mainly from my personal experience), understanding from operational CISO point of view.
In conclusion, I would just like to point out, that even the supreme leader is likely to be rather poor CISO, if he/she neglects constant development of his/her security expert qualifications. On the other hand, even the most perfect security expert will be rather mediocre in the role of CISO, if he/she won’t become a real leader. Indeed, leadership skills and qualities of CISO, no less than security expert skills, have a critical impact on the effectiveness of the information security management in any organization.