Building Air Cover for CISOs
Last week I shared a post on LinkedIn of an announcement by the Massey School of Business at Belmont University that I have joined their faculty as a professor of practice in Business Systems & Analytics. I will help teach and develop their cybersecurity curriculum, and am thrilled to have this new opportunity to help build our future cybersecurity workforce.
That view toward the future cybersecurity workforce was in my mind when I read the excellent but troubling article by Esther Shein on CSO Online yesterday, “Has CISO become the least desirable role in business”? The article makes valid points about the growing challenges and risks that are making the CISO role less attractive for some today, such as the relentless pressure of threats, expanding responsibilities, competition for top staff, growing expectations, counterproductive reporting structures, lack of business support, and potential personal liabilities and reputational damage. I agree with those issues and see firsthand that many CISOs are not positioned for success. With my new role at Belmont aiming to develop future CISOs, I read it thinking - how do we help today’s cyber leaders and change those trends for future CISOs?
The problems are not insurmountable. As someone who somehow lasted twenty-eight years in CISO roles at two of the highest risk organizations in the country, I can attest that there are many many positives about the role that cybersecurity professionals should aspire to, including:
At its foundation, the role serves a noble cause – protecting people, businesses and commerce, and nations. I put CISOs in the same special category as nurses, physicians, teachers, police officers, firefighters, members of the armed forces and others who are dedicated to protecting others.
The work is important – in almost every company and industry, cybersecurity is now a critical, board-level risk.
For those who love to be challenged, the CISO role offers the opportunity to solve complicated puzzles and problems, which can be tremendously satisfying.
CISOs work with highly-motivated achievers – the cybersecurity profession is not for the faint of heart.
With that base of positives, what can we build on to reverse a potential downward spiral toward the least desirable role? I think a big part of the solution is air cover.
The term “air cover” comes from the military – when troops on the ground and convoys of ships and sailors at sea were provided support from aircraft above. Air cover helped tamp down adversarial actions and provided tactical information that helped them succeed. I believe many CISOs today lack air cover – from their senior leadership and board.
Air cover for CISOs can take several forms:
Business leader understanding, or effort to try to understand, the risks and strategy. Does the CISO have regular and direct access to the CEO and the board? Do those leaders take time to discuss cybersecurity or is it a rushed agenda item needed to check-the-box? Are they open to education and building their knowledge?
The right organizational structure. Luminary CISO George Gerchow is quoted in Esther Schein’s article saying, “I have to have seat at the table,” as table stakes (no pun intended) for a CISO role, and I completely agree. Is the CISO at the senior leadership table, where they can hear and be heard in strategy and operational discussions? Are they at a senior enough level to have weight in decisions and able to safely initiate constructive conflict? Do they report to the right level to have access to decision makers, or is their message being delivered by an intermediary, and being watered down?
Shared accountability. One of the great frustrations of being a CISO is having the responsibility for keeping systems secure, but having to depend on business leader decisions to implement the necessary security measures – responsibility without authority. If a breach takes place, most will view the CISO as responsible; yet how many of those events are the result of business leaders and units deprioritizing security? This is a tough nut to crack, and some organizations try to address it by having IT and security together, which I don’t agree with. I think the answer is a model where business leaders have accountability and are measured for the security performance of their units via performance goals, bonuses, and other incentives.
Resources aligned with risk. One of the biggest causes of CISO burnout and dissatisfaction is when their resources don’t align with the business’ risk appetite and tolerance – they are expected to work miracles every day. The realities of business make this another difficult challenge in every unit, not just security. The key is for CISOs to communicate where the program does not meet risk expectations, so the business can make a knowing choice between adding resources or raising the level of risk they will tolerate.
Personal protection – Although most charges were dismissed and the SEC has now agreed to a settlement with SolarWinds and its CISO over communications in advance of their breach, that case brought visibility to potential personal liability and of being scapegoated for an incident for CISOs. I think the key to air cover here is working with Legal and the CFO and CEO to be very clear on protections like Directors & Officers insurance and other job protections, and calling out any gaps.
There are more areas that could be added to the air cover list, and the good news is many of these areas have been trending in a positive direction for CISOs in recent years. The average CISO today is getting greater visibility, more access and support from senior leadership and the board, higher placement in the organizational structure, more resources, and higher compensation than our predecessors.
Keeping these things trending in a positive direction requires CISOs to earn their air cover by upping their game with senior leadership and the board – improving their connection with the business, communications, and collaboration.
Organizations and business leaders who want the benefit of long and successful CISO tenures need to position their CISO for success. It starts with the partnership and education of your CEO and senior leadership team and their air cover.
Hold Fast
Stay True
This week’s shameless family promotion is for gamers - I am so proud of my daughter being part of the new game gaining rave reviews - https://www.wired.com/story/a-game-called-date-everything-literally-lets-you-date-everything-except-people/