How to Hack Your CISO and Get Better Results, Every Day! Pt. 1

Can I be brutally honest for a moment? Your Chief Information Security Officer has been set up to fail.

I know, I know; you believe in your CISO. You stand up for them in executive leadership team meetings and board meetings. You talk about how much you truly worry about the next breach, exploit, fraud event or cyber related production outage. But, you really don’t mean it. How do I know? Because your CISO is still reporting to your Chief Information Officer.

Before we dive in to how to hack your CISO and your organization for better security results, every day, let’s take a look at how your corporate governance and organizational hierarchy decisions are probably screwing up your hopes of avoiding the front page of the newspaper for the next big breach event.

When we look at the most common reporting structure faced by CISOs today (if your company even designates someone as CISO - not just a Director, Information Security), it is important for us to draw parallels to what our corporate environment would look like if we made the same bad choices in functional hierarchy in other areas of our company. Using the logic applied today to CISOs, why don’t we have the Chief Financial Officer report to the Global Head of Sales? What could possibly go wrong if the leader in charge of revenue generation and market share acquisition had the company’s primary accountant reporting to them? Using this same compelling line of reasoning why don’t we have the General Counsel report to the Chief Marketing Officer? Wouldn’t it make the pesky business of legal disclosures so much simpler and better for your customers? Why have the Chief Information Officer report to the Chief Executive Officer at all? We know that the business drives large parts of the annual technology spend in every company so why not just let the CIO report to the head of the largest business unit in your company? Fair is fair right? I am certain the business executive owning all of technology will pay all the required attention to system maintenance, the needs of other business lines and day-to-day IT operations. Aren’t you?

In all of these instances, I am certain you’re saying “no, that won’t work. That’s not how any of this works”. But, this is precisely what you’ve done with your Chief Information Security Officer. You’ve aligned them to a business leader for information technology. You’ve aligned them to a member of the executive leadership team who has enormous up-time demands from his business partners, huge expectations from her product development and marketing teams as well as day-to-day run the engine requirements that consume considerable portions of their already heavily scrutinized budgets. And in the midst of all of this, you’ve aligned the one person in your organization that has been tasked to keep the entire digital universe you occupy safe, while putting them in a position where they can never deliver on that task.

So what happens as a result? Your CISO's budgetary asks are put into the total CIO budget request and it is evaluated based on “business need” or “business priority”. Your CISO will tell you “we have included risk reduction in our business case formula” but seriously, it is not true. It isn’t that the CISO is lying, it is that your CISO is the only one desperately saying “I need this technology spend to fix this serious security problem, so stop taking my money to build the next rewards program application for the business”. They are diplomatically drowning. And you are throwing them a boat anchor instead of a life preserver.

Think about the reality of history for a moment, without discounting the truth of it. The information security function did not exist within your company as recently as 10 years ago, maybe not even 2 years ago for several organizations. By aligning information security or cybersecurity to IT, you immediately made a subconscious decision to have your CISO fight for table scraps of budget dollars from the 1.5% to 6% of total budgetary spend you were throwing to your CIO. Oh, and don't forget - you also demand a 10% reduction of that total expense year-over-year. The choice made, long ago, was that even though cybersecurity is an entirely new function and frankly an entirely new set of technologies, processes and staff expertise there would be no “green” dollars reserved for the function. In no other area of our corporate structure have we ever made that type of decision. We’ve never started a brand new business line, product category or acquisition without investment dollars; new money, green money. So we’ve organized and funded our CISO in a way that guarantees failure. Every budgetary battle for a CISO ends up being the equivalent of King Solomon demanding that the baby be cut in half to appease the CFO, the CISO and all the other IT leaders fighting for money. Except, the decision to not fund a security program across any of the many control categories, is precisely why you will get breached. Making your CISO engage in the financial equivalent of Fight Club with your Head of Infrastructure will most certainly lead to your much needed infrastructure upgrade and your much needed infrastructure security monitoring both being underfunded and sub-optimally implemented.

I’m sure there will be some sensitivity to my brusque tone and sharp delivery of this message. But, CEOs, COOs, CFOs, CIOs and members of risk management committees at the Board of Director’s level, you need a wakeup call. I’m just ringing the bell. While you might be defensive about this series of statements, you just need to ask yourself one question so we can get on to how to hack your CISO for better results.

Do you believe you have enough money to buy your way to safety with information security solutions?

We’ll dive into that in Part 2.