CISOs are still chiefs in name only

Look around the CISO community, and you’ll find signs of burnout everywhere.   Where CISOs aren’t just quitting, you’ll find increasing tension between them and their executives, sometimes resulting in surprising departures. Ply a friendly CISO with their favorite alcoholic beverage and a promise of being off-the-record, and you’ll hear stories that’ll raise your hackles: CISOs prodded to mislead the Board, CISOs summarily dismissed when pointing out security issues, CISOs that other executives won’t talk to, security projects committed and then defunded. 

CISOs do talk to each other, and the stress in the industry is real, mounting, and a serious problem.

While my favorite humorous definition of stress is “that feeling when you suppress the urge to pummel someone who deserves it,” I prefer to think of stress as simply being the energy cost you pay when the world and your expectations don’t line up.  When something goes surprisingly wrong in the world, you feel stress.  That stress is aggravated by having to spend time dealing with a situation you didn’t prepare for.  But we’ve heard all of these stories from our peers, we are prepared, so why are we still stressed?

It’s all in the title. Chief Information Security Officer (or, if you’re really cool, merely Chief Security Officer). That “Chief” at the beginning carries a lot of weighty expectations.   You’ve made it.  You’re the top of the heap.  You’re part of the C-Suite, the executive team that guides the business.

Or not.

Survey after survey tries to ferret out who the CISO “reports” to, and the results are fairly dismal:  the CISO does not report to the CEO.  There are some surveys that don’t define “reports to” very well, so report high numbers, so let me be clear:  If you report to the CEO, then you are in the CEO’s staff meeting.  Not the extended, 30-person monthly management meeting, but the weekly meeting with around ten people in it: the CEO, CFO, general counsel, CRO, CMO, CHRO, CTO, CPO, COO, CIO (maybe), and the CEO’s Chief of Staff.  That’s the meeting where decisions are made.  

The big management meeting you get to join?  It’s where you get told what the decisions are.  Maybe you get to tweak decisions around the edges, but it’s rare that you get to influence a major decision if you’re not in the small team.

And that’s your source of stress.  Instead of input coming from the head of security as every decision is being made, it has to come in after the fact.   The CHRO gets to nip bad ideas in the bud, but you have to spend serious effort to fight one that’s already rolling downhill.  The CIO has already committed (or, more likely, been forced to commit) to cost-cutting measures that will impact security before anyone around that table even heard the word risk.  Humans make decisions all the time based on first impressions, and then retroactively justify their choices, and the C-Suite is no exception.   If you’re not there to influence the decision, then it doesn’t matter what your title is:  you’re not part of the C-Suite.

Is our profession doomed forever?  Of course not.  The CIO profession has only recently completed its transition into the C-Suite, and there are early indications that as every business becomes a technology business they’ll be merged with the CTO or CPO role in some fashion.  CMOs are still transitioning out from under the sales organization as companies realize that “closing deals” is not the same discipline as managing your brand and pipeline.

Security is a top ten risk of nearly every Fortune 500 company (if it isn’t already in the top five).   It isn’t going to be properly addressed with a CISO always running around cleaning up the problems created by decisions made in a room without a security presence.  A CISO that is treated often like a proverbial dancing bear—show up on demand and perform the “demystifying security” routine for the Board to give them comfort, then go back to trying to backfill positions at non-competitive salaries while chasing incident after incident—isn’t a recipe for success now or in the future.

But until the CISO is truly integrated into the C-Suite and major decisions gain the benefit of their counsel, companies and CISOs alike will keep paying the price.