We’ve come a long way from just a relatively few years ago in institutionalizing the CISO/CSO mandate across our respective corporate organizational structures. I’ve written here and spoken countlessly of the imperative for CISO/CSOs being granted equal footing as their CIO and CRO counterparts to maximize operational effectiveness and efficiency, not to mention security resiliency; and if that’s not feasible then s/he should have a dotted reporting line to the CFO or COO.
Beyond that, there is a stark security gap that concerns me—one that is more essential and at the same time easier to fix/employ than senior reporting lines.
I strongly advocate and urgently implore corporate management teams to assemble and build a strong and resilient digital security leadership bench within their respective organizations for dual-effect purposes.
Since the beginning of human warfare, long campaigns—and this cyber war we find ourselves in is/will surely be recorded as the longest ever continuous national security level conflict—have required intermittent and overlapping rest and refit for warring soldiers and their leaders. Pulling the front-line troops ‘off the line’, as it were. The human body, the human mind cannot sustain indefinite and unceasing combat operations on the line—no matter if weighted offensively nor defensively. At some point the solder, the platoon, the battalion, the division will crack, and effective combat effectiveness will fall precipitously.
Good and farsighted commanders have long recognized this; and so individuals and units have been pulled off the line to rest and refit . . . to decompress from hot emotions and prolonged intense focus, to rest and then rebuild mind, body and importantly spirit. Why should the cyber battlefield be any different? Sure, there is no hot lead flying around; and sure, there are no mortally wounded casualties. But the CISO is indeed fighting a constant onslaught battle…against an insidious unseen digital enemy(ies) who seeks to do harm to their company’s structure, piggy banks and operating strategy…to their professional family.
Intel has gotten better, but it’s still woeful and negligible. Quality staff are short in numbers. Budgets are for the most part tight. Insider threat still prevails. Making matters worse, a certain fool-hearty expectation prevails across many (not all) corporate quarters that cyber is a zero-sum game—that “in hiring a ‘great’ CISO we’ve won”…and thus the associated corollary that any breach automatically equates to bad performance by the CISO. This is both silly and nonsensical. And so, the CISO goes to bed every night with one eye open, thinking anxious thoughts about unknown bad players who seek to do as yet unknown harm on her/his digital enterprise…her/his home.
It begs repeating: cyber engagement is by design and nature continuous. And a continuous operating cycle, with zero respite for individual players, is unsustainable and deleterious. The stakes are high, and the tempo is intense. And thus, can wreak havoc on the mind and body and spirit. CISOs/CSOs must intermittently be pulled “off the line” in order to ensure maximum long-term operational efficiency and enhanced security resiliency. I’m talking real rest and refit here—far away from the office, with iPhone left in the drawer 23 ½ hours each day.
Quite simply, it’s not enough for (most) established mid and large-sized corporate entities to employ just a CISO alone. Designating a bench of digital security leaders is essential. These cyber players can be named Deputy CISOs or they can be functionally assigned this ‘second hat’ remit in more unannounced fashion. Whenever possible, they should be “promoted” from within, eg the SOC Director being given additional continency responsibilities. But if current staffing doesn’t meet the bar, then the CISO should recruit from outside.
Regardless of organizational size and scale, all mid to large sized corporate benches should be staffed with at a minimum two designated deputies and not more than four. Deputy implies that s/he can/will step into the proverbial breach at moment’s notice, with no loss of operational security effectiveness. Deputies should be thoroughly cross trained among her/his counterparts too. Whether the CISO is attending one of many offsites s/he will be drawn to during the fiscal year or if s/he is visiting a client or vendor overseas or simply if it’s a case of the CISO ‘shutting down’ for two or better three weeks of mandatory holiday leave…there’s no gap, there’s no loss; just seamless transition.
Let me be clear, I am no apologist for the CISO/CSO community writ large. I’m a cyber headhunter; but first and foremost, I’m an operator. I love it when I see organizations maximizing their inherent operating capabilities and efficiencies. And conversely, I get a bit irked when I see good organizations proverbially shooting themselves in their foot, making relatively-easy-to-avoid bad decisions.
I’m not suggesting that CEOs wholesale unleash their CISOs with zero conditional restraints. Nor am I saying that budgets for both gear and staff be virtually limitless. Indeed, the best CISOs exercise discretion and restraint and often do more with relatively less. But . . . I am urging CEOs, their boards and management teams to be smart, expansive and intellectually honest in reflecting on and deploying their CISO asset.
And in establishing a quality CISO leadership bench, there’s a positive force multiplier effect here too. For as the CEO/management team incorporates some enhanced contingency planning for scheduled and unannounced CISO absences—including forced “quiet” vacation time—the CISO will gain a greater peace of mind knowing s/he is fully backed and supported by her/his corporate higher ups; in turn, sustained superior performance out of the CISOs office is enhanced, thus enabling a greater sense of quiet (realistic) confidence at the management team and board level. And, oh by the way, if said CISO is by chance recruited away (it happens!), easy coverage takes hold.
This is a matter our clients are increasingly taking up with us. Some proactively; others responding to my harping at every opportunity, “OK, enough already!” All have come to recognize that an inherent staffing misalignment around their CISO functionality presents potentially critical exposure. If you, reading here, are a member of a management team, I humbly ask that you please raise this matter internally; have an honest discussion and take determined action if warranted. You may need to call on your recruiting partner to address a gap; more likely, you have sufficient staff in place, and need only employ a bit of organizational creativity and forethought. Whatever the case may be, let’s get after it.
This story, “Staffing the CISO office: A call to senior management for some expansive thinking” was originally published by