The multi-year rise in data breaches, ransomware attacks and insider threats has led to a surging global need for cybersecurity leaders to save the day.But here’s why the CISO ideal is harder than ever to deliver.by Dan Lohrmann / September 9, 2019
The following is a fictional job posting.Any resemblance to an actual public- or private-sector job posting for a CISO is purely coincidental.
Wanted: An experienced, industry-leading Chief Information Security Officer (CISO) at well below what the market is paying when considering both wages and benefits.
This hacker guru, who excels at stopping nation-states and organized criminals from penetrating (very) vulnerable mission-critical networks, will lead a team of security staff who struggle in the fight against global adversaries and cyber war.
Note: Filling existing team vacancies will be an immediate priority, but keep in mind that our budgets are tight, so hiring freezes will likely be imposed soon after you are hired.
This recognized expert in executive leadership, project management, team building, relationship management and budgeting will have a minimum of 10 years of professional experience (20 or even 30 years preferred) managing complex security operations centers, supervising large teams (although the team you will actually manage is rather small) and recovering from global cyberattacks that have devastated international business operations.Note: See these recent ransomware attack examples for more specific details of the challenges we are facing.
This exceptional individual should be able to mentor staff, build award-winning strategic and tactical plans, understand the complexities involved in the global banking system, stop cybercrime and speak effectively in front of large (internal and external) audiences in funny, compelling, and industry thought-leading ways.Note: Obtaining executive buy-in and speaking to media contacts, lawyers, accountants, college interns and the local PTA is a must.Expect plenty of after-hours meetings and numerous formal or information dinners (and lunches and breakfasts too.) And no, your spouse or family members or significant other is not invited.
The CISO will coordinate, develop and implement corporate policies such as: information security, privacy, urban data management and whatever other policies we need for compliance (including, but not limited to, HIPAA, PCI, IRS and ISO 27002).
These policies will be based on best-practices globally and a comprehensive understanding of all local, national and international laws that pertain to data, security, industrial control systems and the Internet of Things (IoT).Note: We expect this brilliant individual to keep up with relevant, emerging cyber startups in areas such as artificial intelligence (AI), quantum computing, 5G, digital assets (like cryptocurrencies) and other cool new stuff.
A consistently positive, assertive attitude and ability to rapidly enforce security culture change within our enterprise is a must.This individual is also measured (required to score) an average of 4 (out of 5) on 360-evaluations from management, peers, business clients, external partners and internal staff.Any disagreements with senior executive management will not be tolerated.Frustration (and certainly fits of outward rage) will lead to an early dismissal for cause — without any termination compensation.
Required professional certifications include: CISSP, CISM, ISSMP, CSSLP and C|CISO.A CRISC certification is strongly preferred but not required.This hands-on pro will also manage several vendor partners.Certifications in acquisition management from federal three-letter-agencies (such as CIA, NSA, DHS or FBI) including procurement management, legal provisions and complex contracts is strongly preferred.
Education shall include a master’s degree in computer science, cybersecurity or electrical engineering, but a doctorate degree in one (or more) of these fields is strongly preferred.
Note: Please include several of your recent blog postings, articles and/or books you have written (along with your Twitter handle and LinkedIn profile and password) in your application on page 21.The forms are right after the FBI background check details, but before the release authorization for five years of family tax records.
Speaking of background checks, proof of no criminal wrongdoing (ever) along with exemplary service to your community (shown via at least one nonprofit organizational award) is assumed.In addition, previous (successful) examples of leadership roles outside of work are strongly preferred — please list these references on page 37 of the application.Active involvement in non-political (but acceptable by our standards) social causes is encouraged before, during and after employment.
Note: We are an equal opportunity employer, and all applicants are encouraged to apply regardless of ethnic background or religious beliefs.
Must be available for frequent travel and 7x24x365 access/availability even on vacations and holidays, should the need arise — and it will.Note: Out-of-state travel will generally be limited to under 40 percent of your time, depending on the number of domestic and international conferences you are asked to participate in.
Most important of all: The search committee expects this new CISO to ensure (in writing) that NO DATA BREACHES WILL EVER OCCUR ON YOUR WATCH! Any ransomware attack or phishing attack that is successful against any of our company staff or contractors (for the bad actors and against our organization) will be considered an unacceptable security incident for the purposes of your limited-term legal agreement.Note: This one-sided contract shall be signed on the first day of work.
In the event that the search committee is unable to find qualified applicants that meet all of the stringent requirements for this CISO role, we reserve the right to waive any (or all) requirements and hire the best candidate from within.Note: If this alternate selection process is chosen, the selected candidate will be on probation and have one year to fully meet all position requirements listed herein.
Expect ‘other other duties as assigned’ to be added to this CISO role.Final Note: The qualifications committee is still working on additional requirements that will be discussed with applicants who qualify for a formal interview.
Where Did This CISO Job Posting Come From?
OK, I admit that I went way over the top and (intentionally) embellished this CISO job posting to make my point.
I certainly did not intend to offend anyone, but this description represents many of the unreasonable expectations that more than a few CISOs feel right now.
Regardless of your views on my (attempt at) humor, expectations for chief information security officers (CISOs) have grown immensely over the past decade.Many goals and deliverables are virtually impossible to meet — especially in the public sector.Some experienced CISOs are even leaving the role (but not the cybersecurity industry) to become expert consultants in cyber.
Many CISOs are now in a “no-win” situation, and it feels like (beyond the job description), Iron Man or Wonder Woman couldn’t even succeed, given all of the challenges.
CISO expectations from management have become unachievable, even as our security challenges get harder to address.
So why do I make these claims, and what can we do about the expectation problems? That’s what we will cover for the remainder of this blog.
Why Now? Examples Please?
First, there have been dozens, perhaps even hundreds, of articles, books and white papers over the past several years providing analysis and guidance on why CISOs fail and/or what it takes for security leaders to succeed.Most of these provide a level of helpful analysis and good advice.
Here is one article I read recently from Rajeev Shukla on Peerlyst.
I encourage you to read his well-done article, with helpful charts.Here are 11 of his reasons for CISO failure: Caught into “Product Panacea” mindset “Insufficient Understanding” of cyber areas Lack of vision, to create, “Program Frameworks” Over dependence on high cost “Consultants & Services” Operational oversight, caused by “Ineffective Delegation Model” “Lacking Personal Ability to Retain Talent” in key areas of cysec team “Hype Fancy” leading to unreal connection with ground realities of CySec “Critically Lacking Assertiveness” in keeping, defending and moderating a point “Hiding of Info/State” by their own team and own organizational elements, leading to chaos An “Inability to Navigate Politics” of the larger organization, and, implement/influence decisions/actions “Getting Caught into Politics” at the critical points, which demand, direct and assert resolution models
SecurityRoundtable.org also explains: The evolving role of the CISO: From risk manager to business enabler .
ISSA offers some great advice and direction in their great CISO Mentoring Webinar Series , which covers a long list of topics from seasoned experts.I even participated in one of these podcast in this series in September 2015 titled: “ The Top Five Mistakes New Security Leaders Make .”
And yes, I have written extensively on this topic going back to 2010 when I wrote a blog series for CSO magazine on the seven reasons security pros fail .
Also, I offered input into this article by Joan Goodchild on 6 Steps Every New CISO Should Take to Set Their Organization Up for Success .
I could go on and on, but I’ll stop there.Feel free to google terms like “CISO failure” (or add success) and you will find many more articles and books on CISO requirements and what’s needed to succeed.These are all (hopefully) helpful pieces that make good points.
So What’s the Problem?
But taking a step back and taking them as a whole, these lists have become overwhelming and impractical to perfect.
Almost like diet books, this seemingly endless list of tips, tricks, ideas, and must do’s for CISOs to be an over-achiever isn’t going away anytime soon.
My concern is that no one — and I repeat NO ONE — can possibly do all of this.Expectations have grown to be (almost) like the job description at the beginning of this blog.
While I really like Rajeev Shukla’s article above, my heart sank when I heard this was part 1 of 5.
(Part 1 alone seems overwhelming to master by itself.)
So should we just give up and not give advice? Of course not! But we must also balance these lists and problems with burnout and reality of a genuine security leadership career.Not all CISOs are created equal, and most will never be able to consistently achieve half of what we are preaching in these books, lists and articles.
So yes, the pendulum is swinging back the other way for me.And others are saying the same things.
Consider these articles:.
