Your CTO is Not an Assistant

Your CTO is Not an Assistant

Long-time readers of this newsletter may have heard me mention youth basketball once or twice.

Okay, four times previously (one, two, three, four), with one more coming your way right now.

But here’s the thing … I LOVE youth basketball.

I LOVE being at practice – helping the kids improve their game.

I LOVE coaching – helping the team perform at its absolute best.

I LOVE interacting with parents – asking multiple times if their child will be there; changing the line-up five minutes before the start of a game when a kid doesn’t show up; canceling games because we don’t have enough players.

Okay, I love two out of three of these things. Youth basketball practice and coaching, yes. Youth basketball administration … no way!

But there’s no getting around it. This season, I am coaching two teams – 5/6th grade girls and 7/8th grade boys (not coincidentally, I have children who are those exact same ages) – and for some reason the parents this year are unresponsive.

Part of the problem is that each team has its own dedicated app for managing its schedule (my wife and I have five apps between us for kid sports alone). So people lose track, forget to respond, blah, blah, blah.

It’s annoying (can you tell?), but it’s the price of admission. Like it or not, if you want to coach youth sports, you need to deal with the administrivia that comes with it.

As it turns out, running a cybersecurity program also requires a fair amount of administration. That means keeping track of things like:

  • Who are your vendors; how are they performing?
  • Were your employees off-boarded properly?
  • Did you run background checks for new employees?
  • Did you send out the cybersecurity training?
  • Have you checked to see who is enabled in your systems?
  • Has that contractor been taken off the account he is no longer working on?
  • Is MFA turned on for system X, Y, or Z?

At its core, cybersecurity is information-based. And while doing it well requires a fair amount of high-level skills and strategic thinking, the bulk of the day-to-day work is administrative – up-to-date documentation and a commitment to process are essential.?

The Right Person for the Job

But who should be responsible for overseeing all this? Giving it to the CTO may seem logical … after all, they are the most senior tech person in the company. But doing so is a mistake.

Yes, this person has a strong commitment to and interest in the organization’s cybersecurity. But they are too busy – and, frankly, too expensive – to get involved in the laundry list of things mentioned above. They are focused on the technology and given their limited bandwidth, they will do the things that make the best use of their time (hint: it’s not administration).

A much better solution is to give it to your company’s “organizational hub.” I bet you have someone like this. It’s the person who, while not an expert in technology, is an expert in the company itself. The person who knows all the players, all the interconnections, and all the ins and outs of how things work.?

Give them responsibility for documenting, tracking, and overseeing all the day-to-day elements of your cybersecurity program. They don’t need to be “basketball” experts … they just need to be really, really good at keeping the wheels turning.?

Will the CTO object? Not likely. In all the conversations I’ve had with CTOs over the years, not one of them has ever said, “Rob, I love performing the administrative parts of my cybersecurity program.” In my experience, these folks are relieved to hand off the admin stuff to someone else.

One last thing. I’ve worked with all kinds of organizations over the years – different sizes, different industries, different corporate cultures.?

Each is unique in how it operates. But there is one rule that seems to apply across the board: If the cybersecurity administration is left in the hands of the CTO or other senior leader, that organization does not have a good cybersecurity program. It’s just not a match that works.

Gotta run. I’m one player short for tonight’s game and I’ve got some calls to make!

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.

Merlin Namuth

Global Leader | Chief Information Security Officer (CISO) | vCISO | Advisory Boards | Altruistic Servant Leader | Keynote & International Presenter

7 个月

Thanks for sharing. Great insights!

回复
Mauricio Ortiz, CISA

Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance & Security | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer

7 个月

I do not think the CTOs are doing that admin stuff anyway, and you are right; it will be a waste of their time and pay. You just created a new position, the ATO = Admin non-Technical Officer ??... Maybe some of these things are already done by a GRC function

要查看或添加评论,请登录

Rob Black的更多文章

  • Cybersecurity Needs Your Attention

    Cybersecurity Needs Your Attention

    December. That magical time of year when so many conversations turn to… … the pick and roll, great team defense, smart…

    3 条评论
  • Cybersecurity’s Unanticipated Benefits

    Cybersecurity’s Unanticipated Benefits

    Longtime readers of this newsletter may assume that the only professionals I ever call to my house for assistance are…

    11 条评论
  • Cybersecurity Controls – All Are Not Created Equal

    Cybersecurity Controls – All Are Not Created Equal

    The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was…

    4 条评论
  • Why you need a Quantitative Cybersecurity Risk Assessment

    Why you need a Quantitative Cybersecurity Risk Assessment

    You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more…

    3 条评论
  • Top 5 Rob & Rob Videos of 2024!

    Top 5 Rob & Rob Videos of 2024!

    I am settling into my role as the principal member of the one-man short-video sketch comedy troupe Rob & Rob. This…

    8 条评论
  • Prepare for the Cybersecurity Championships!

    Prepare for the Cybersecurity Championships!

    The NBA season kicked off last night. This year, our beloved Boston Celtics are favored to win it all, again! I…

  • Let’s Get Physical

    Let’s Get Physical

    “Dad, the house alarm went off!” This is not great news at any time of day, but it’s especially unnerving when your…

    3 条评论
  • What’s Your “After Action” Plan?

    What’s Your “After Action” Plan?

    It shouldn’t have been a problem. After all, what could possibly go wrong helping a vacationing neighbor whose plants…

    7 条评论
  • Do You Have a Golden Cybersecurity Questionnaire?

    Do You Have a Golden Cybersecurity Questionnaire?

    It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer:…

    12 条评论
  • Don’t Ignore the Warning Signs

    Don’t Ignore the Warning Signs

    Our house is only 18 months old. At this point, few things need repairing, painting, or upgrading.

    6 条评论

社区洞察

其他会员也浏览了