So You’ve Decided to Hire a CISO….

Posted on by

TL;DR: Organizations start security programs for a variety of reasons but often times have motivations that may limit the success of the security program. Keep in mind that the business needs a security program will cover on day one will likely be very different as the company evolves; companies and their security leaders have to be ready to adapt.  Finally, security is far more complex than most would imagine. The breadth and depth can be daunting even for experienced security professionals, let alone those who are not responsible for security.

I always find it interesting to understand why a company is hiring its first CISO. Did someone force them?  Is the board interested in having a CISO? Does the company think the CISO will be responsible for all of the company’s risks? Or is there a genuine desire to lean in to security issues, and use it as a strategic initiative?

Understanding the mindset is critical in setting the new CISO on a path to success within the organization. Depending on the motivations, an organization’s leadership team (or hiring manager) will have certain preconceived notions about what the CISO is there to accomplish. If, for example, this is a compliance or certification-driven initiative then it is likely that the CISO will be placed closer to the CTO/CIO or Legal.  If it is driven by a regulatory obligation then the CISO may be reporting to the board per that requirement. If however, it is because of a technical driver such as a penetration test or fear of hackers, then it would come as no surprise to see the CISO be a director or below and under infrastructure or IT. The motivations around why to start a security program can be filled with biases and assumptions that may already be dictating the scope and success of the security program.

Instead, a company’s leadership team should look at security as a strategic opportunity, and understand the breadth and depth of what a security program aims to accomplish. Security is a strategic team just like your finance team is a strategic team; finance is not only about paying bills but also about for forecasting, budgeting, invoicing, etc, etc. Security is not just insurance.

To set you off on a successful journey towards hiring a CISO, let’s first identify how not to think about the CISO and then let’s look at what a new CISO would like your security program to be.  Here are negative starting points for the new security organization:

  • The CISO is here to sign off on risk.
  • The CISO will stop the hackers.
  • The CISO is here to yell at employees who keep clicking on links in phishing emails.
  • Security is a technology problem (we’ll explain why this is wrong later).
  • Security is a safety blanket / insurance plan.
  • Someone told us to do it (regulator/certification/etc).

If any of the above are the starting points, then it is important to take a step back and instead look at security as an opportunity rather than an obligation. One can always be annoyed about wearing a helmet, but if it means you can go faster, then it will help get you to where you’re going quicker. Think of time-trial cyclists – the helmet is not only allowing them to go very fast in a safe manner. but it is also making them far more aerodynamic and efficient.

How Security Leaders (should) See Security

Even some security leaders are narrow in their view of what a security program should be. This can be because they are passionate about one aspect of security or because they simply haven’t seen a security program covering the full gamut. Either way, their job is to see the whole picture.

CISOs need to see security as covering the full breadth of security and risk management.  That is everything from the moment an employee walks in the door: a product germinates, international expansion is considered, a new vendor engagement begins, new data ingestion/handling is designed, monitoring our environment, releasing a product, keeping an eye on future product vulnerabilities, investigating and responding to incidents, etc.  In the end, security needs to be part of every aspect of the company and how it does business.

CISOs also need to understand the business well enough to see how security can drive growth to the top line and the bottom line. Are there product areas that the company has not explored before that security can identify? Can security help decrease time to market with its contributions? Can security facilitate a new line of business or shorten sales cycles? This is usually an area where security doesn’t contribute nearly enough, or sees itself more as a function that comes in later to clean up the messes of uninformed decision making.

So, what does a security program look like?

It would not be a stretch to argue that security and risk management is one of the most complex and interdisciplinary business domains out there, and it is important to be able to take a step back and see the big picture. An even more important function of security is helping others come to terms with the complexity of the security domain.

People are generally surprised when they walk through all of the domains of security, most of which had never occurred to them. CISOs need to be the educators who work with business and technology leaders to comprehend the breadth and depth of this profession.

To give a brief view of what it looks like, the following is an over-simplified version of the security landscape. Keep in mind that organizations do not need to cover all of these areas; however leadership should be aware that the areas exist, and make conscious decisions about which areas to tackle and which to put on the back burner.  

Each of these boxes has 20 other boxes inside of it, and some functions been left out entirely for simplicity.

The quick lesson is that security is a broad and varied field. Organizations need CISOs who can take stock of the entire playing field and coach a team of experts toward a unified strategy.  The quarterback on a football team cannot play all of the positions and certainly cannot play them all at once.

Organizations need to have specialized leaders/partners/vendors in each of these areas.  Subsequent posts will dig into the specifics of what each of these boxes actually means. It will become obvious that not only would this be a tremendous amount of work for any one or two people, but these roles fundamentally require professionals with different mindsets and aptitudes.