Will the real CISO please stand up?

I remember over sixteen years ago when I accepted my first cybersecurity management position. I was still active duty military at the time and back then in 2002 cybersecurity was still called information security or information assurance. The job title I filled was that of Information Systems Security Manager (ISSM); it was an unusual assignment because I had a team of thirty people and I was managing network security, risk management, data privacy, and security compliance. For those of you who have never worked in the federal or military community, having multiple jobs fall under one title is normal and after a while, you get used to the fast pace of operations.

I think back to that time because for the two years I was in that job I always felt like an imposter. I never received much management training to go with my technical skills and certifications; I continuously believed I needed to do better. I also remember a defining moment during that two year period when I met my first CISO from a local defense contractor. This CISO and I were attending a security conference, and I was excited to meet people that I believed were my peers. Of course, I was caught by surprise when this CISO and several more laughed at me and told me I was not a CISO or security professional. They stated that as far as they were concerned anyone in military or civil service weren’t real security professionals, we were all “wanna be’s.” What is even worse is at the time I believed that idiot and honestly felt ashamed that I was just an ISSM and it would be years before I thought I could be better. The reason I allowed you to see the beginning of my path to becoming a CISO is that I see organizations and professionals in our community demonstrating some of this same behavior today and it needs to change.

As a CISO I have served each of my previous and current organizations with honor, focused leadership, and the technical skills I have acquired over the last twenty-five years as an analyst, engineer, architect, developer, manager, CIO, CISO, and CRO. I freely give to our community, writing, mentoring and speaking where I can because cybersecurity is a passion that I want to share. With that said, in each position from the military to the federal government to the City of San Diego to Webroot, I find I am still disrespected at times for not being the right kind of CISO. This begs the question, what is the right sort of CISO? Who makes those decisions? I have come to realize much of this is due to how businesses today segment and recruit candidates to fill their CISO positions, and honestly, I believe they are doing themselves and our community a disservice.

Now before I have many of you get upset, let's look at a basic definition of what is a Chief Information Security Officer, and I will explain my thoughts.

• A chief information security officer (CISO) by definition is the senior-level executive within an organization responsible for establishing and maintaining the enterprise security vision, strategy, and program to ensure critical assets and technologies are adequately protected.

Looks pretty simple, but for those in this role, we know the truth is far different. In fact, this position carries enormous responsibilities and has matured over the last several years acquiring new functions that are more aligned to support business operations. Some of these new functions are centered on risk management, IT governance, compliance and audit, security operations, and finally business enablement. CISO’s have traditionally been the protectors or their organization and are now being asked to continue that time-honored role but also help enable the revenue generating business units. These new functions within the CISO role require CISOs with diverse backgrounds and it with this in mind, we will continue my original discussion.

I write extensively about cybersecurity and travel to numerous security conferences and events around the world. I mentor CISOs from all walks of life and business roles, and I find that time, and again I see organizations recruiting the CISO role as though it were an IT position. CISOs are people who typically have extensive experience across multiple career fields and require the technical skills of a network/security architect and the business soft-skills of an enterprise executive. They are people who can step into different roles depending on the situation and the needs of their organization. It’s this view of the how dynamic the CISO role has become that makes me ask a question. Why is it that companies feel they must limit their options when recruiting an open CISO requirement? Limit their options? Yes, limit their options by asking for only a particular type of CISO. To give you an example, say the open requirement is from a retail company. So the company wants only a CISO who has worked with previous retail businesses. Well, I understand they want someone that would be familiar with the compliance and regulatory requirements of the company. However, that narrow view results in the hiring business excluding about 90% of the CISO population. In the event, the retail company finds their CISO unicorn; you can bet other companies are looking at their candidate and good luck trying to keep that CISO for a long-term assignment. CISOs are not stupid people; we can learn about new regulations and manage a security team in a different business environment. I have mentioned before, and I will repeat it, there is no reason to try and hire a unicorn when a pony will do just fine. In fact, many of us hard working ponies aspire to be unicorns if given a chance and I know we will surprise you. Trying to force the role of CISO into a specific box negates the possibilities of acquiring someone with the skills and talent your business actually needs – so take the chance!

As a CISO, our community must grow out of this business segmented mindset of being a particular CISO type like Retail CISOs, Medical/Bio-Tech CISOs, Finance CISOs, Product CISOs, and the list goes on and on. We as brothers and sisters are just CISOs, and we need to support each other and not tear each other down. In closing, as security leaders, we should be focused on giving back to our local community, our cyber community and taking care of ourselves so we can help grow the next generation of cybersecurity professionals. Blessings to all of you and your families, I look forward to the discussions to follow - GH. 

***In addition to having the privilege of serving as Vice President and Chief Information Security Officer for Webroot Inc., I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked, both are now available in print and e-book on Amazon, and I hope they help you and your security program excel, enjoy!