Where Does Your Authority Come From?

Years ago, having landed my first Head of Information Security role, I felt honoured and excited at having been gifted the opportunity. However before long I began to realise that I was merely scratching at the surface of a world-sized problem and swimming against the tide of rapid technological transformation across the global business.

Information security then wasn't considered a top priority as the business raced ahead with dozens of web-enabled programmes and products, many having little or no expert security review or engagement on the project prior to going live. The pressure to just 'sign off' on projects to meet business go-live deadlines was immense and almost led to my either quitting or being fired on several occasions. I was working 12 hour days and still losing bad.

The approach we security folk generally take when faced with 'can't do - won't do' projects or stubborn legacy systems; of getting the business to accept the residual risk, wasn't working either. Often because we only became aware of them after it was too late to review them and then retrofit the required controls.

I hated my job.

One day I was taken aside by a wise old owl who headed physical security across the organisation. He asked me just one question:

"Where does your authority come from?"

I showed him my shiny new business card with words like 'Global', 'Head of' and 'Director' in front of my name. "No, no, no" he said, "Who, exactly, is backing you up and giving you the authority to act?" I didn't have a coherent answer. I had assumed, perhaps na?vely, that my detailed technical knowledge, the job role, and its important-sounding title were sufficient to allow me to challenge insecure projects and behaviours across the business. And then magically command or persuade them into implementing the required controls.

I was wrong.

"And as for the global Director or VP title thing, that won't wash in the US" he continued. "They hand out VP titles like sweets over there, and even the janitor gets a director title".

I realised I was screwed. I had seized the poisoned chalice without asking the crucial question of whether I had the senior backing, authority and mandate to carry it through. Unlike me, my wise old colleague had taken years to hobnob with the Board, working his way up and gaining their confidence, along with the tacit authority he needed to do his job.

I, on the other hand, was fresh meat with no long track record of doing the job. Despite the title, I had no real authority.

Eventually, and due to the inevitable series of breaches and incidents that followed, the need for logical security across systems and networks began to be recognised, along with a (reluctant) recognition of the security role and its resourcing. But it was a hard road.

I would spare you that pain.

Although a lot has changed in recent years with major publicised breaches, massive fines, and a raft of compliance rulebooks all driving a higher profile for the CISO* function; it still needs to obtain a level of authority which is more than just words on a business card in order to be effective. The security function still occasionally finds itself in conflict with the more 'gung-ho' elements of the business, and sometimes you just need a bigger cudgel than the other guy. The major publicised breaches of the last five years, and their resulting post-mortem investigations still reveal cases where CISO's advice and requests for resources have been ignored, with inevitable consequences. In my view the problem is still not fixed.

Try asking yourself these questions, either in your current job or at inverview:

1. "If I discovered a "platinum card" product or programme is about to be launched containing serious security flaws, would I be able to halt it and demand security remedial work be implemented before it goes live?"
2. "Do I find myself having to agree to 'waivers' and 'exceptions' or exemptions to security policies and controls on a regular basis?"
3. "How often do cybersecurity red flags get steamrollered by the more immediate 'business benefits' being touted?

If your answers are respectively "no/unlikely", "yes" and "frequently" to these questions, you might want to think about shifting job.

The following are the types and sources of authority you might have available to you as a CISO*:

• Ex officio authority - i.e. the authority conferred upon you by your job title.
• Grade authority - i.e. having a higher pay grade seniority than those who you need to influence or take action. (Note there are still very few CISOs who sit on the Board).
• Mandate authority - having a clearly communicated and documented backing and mandate from the highest level of the organisation.
• Governance authority - e.g. you are a required step in a governance or compliance process, such as in a highly regulated sector.
• Leadership style and influence - building trust and confidence to motivate people who are not necessarily under your direct command to take action, by informing, building trust and maintaining integrity and successes over time.
• Force majeure - i.e. a major event occurs which overrides all other priorities and temporarily puts you in charge of a situation.
• Subjective seniority - i.e. behaving & communicating in a confident way that suggests to others that you have more seniority and authority then your actual pay grade implies.

As I have already outlined, ex officio authority in the shape of your job title doesn't by itself necessarily confer enough authority to challenge the business on 'gold card' projects, or to influence management at a far higher pay grade than your own.

Today, Covid-era priorities have radically shifted, and shortcuts to business survival and recovery need to be taken. Senior management focus will be on ensuring those things happen, and cyber security, while important to us, might not be right up there with those priorities. Cybersecurity will still need to fight to keep its place at the table. Even now, you need to have the courage to act even when you stand to lose.

Grade authority helps, but only when dealing with people at equal or lower grade, and is essentially useless or even career-limiting if, for example, you discover fraud or excessive risk-taking at a senior level and need to tackle it.

Mandate authority from the highest level of the organisation is the absolute must-have to do your job fully and effectively. It allows you to override almost all the others, and effectively call foul on risky and insecure behaviours at almost any level in the business.

It needs to be in writing, well communicated and embedded within the business culture. (Obtaining verbal authority in a closed session, only to be defeated in a public one doesn't really 'do it' for me).

Governance authority is also a very powerful lever, but it's often only available to a chosen few who happen to work in a highly regulated sector like banking, or where safety and security considerations are an integral part of the business mission; such as aviation, military, nuclear, pharma etc. (A word of caution though; governance authority by itself tends to make you into a sort of 'network policeman' or a 'necessary evil' in the business process and doesn't often win the hearts and minds of the organisation).

Force majeure, such as responding to a major breach, may well give you the temporary authority to do whatever is required, but corporate memory is short, and that authority often dissipates once the incident has passed and business-as-usual resumes, and profit motives soon return to override risk concerns.

Leadership style, and learning to project yourself both in seniority and influence are all essential skills, but all take a long time and effort to acquire. Whereas as a new CISO or equivalent function fresh into a new role, you need to be winning battles right out of the blocks rather than losing them - along with your credibility.

The nightmare situation to be avoided here is that of carrying the responsibility for managing security, but without the power, authority or resourcing to actually do it effectively. The only thing you'll end up carrying is the blame.

So if you are a CISO or senior risk function manager looking for a new 'head of' role in a new company, your #1 question at interview should be "Where Will My Authority Come From?" If the answer is vague or points to a place too low in the organisation heirarcy you might want to think carefully before accepting the job.

* Though this article primarily addresses the Chief Information Security Officer (CISO) role, it also applies more generally to similar risk management functions and roles, where the need to balance the risk / benefit equation often requires the head of risk function to use their influence to ensure the necessary controls are put in place.