CEO’s enabling CISO’s
10 commandments for CEO’s when positioning a CISO in their organization and the questions auditors and supervisors pose to the board…
By Paul W.M. Oor
Despite the fact that ICT security has become an essential factor for the resilience of all organizations, most CISO’s haven’t made it to the boardroom. And their relationship with the board is complex, to say the least. Fortunately compliance, protection of personal data and audits, have proven to be a solid stepping stone for communication between the management and the security teams in the organization. Now it’s time for the next step and address effectiveness of ICT security governance on the agenda of the board, auditors and supervisory bodies. Considering the 10 commandments for CEO’s addressing ICT security governance in their organization, introduced in this article, will lead to more effective ICT security governance. Enabling management to respond satisfactory when questioned by stakeholders; “are you in control of ICT security?”.
There is a continuous debate in The Netherlands which organizations and companies provide essential services and should therefore require extra attention and oversight. There is no discussion however on the fact that ICT has become an essential service for most organizations. Digitalization has become and remains a priority for organizations to maintain and improve their services as every company has become a software company. Security has made it to the boardroom, whether the board likes it or not.
Considering the increased importance of security i.e., the protection of (personal) data most organizations are moving to a license to process situation and ICT security governance will become even more a key topic on the agenda of directors and managers. This has a significant impact on the relationship and expectations of the board and the CISO.
The majority of CxO’s is now addressing challenges and digital topics impacting their organizations’ risk profile. They realize that cyber threats and potential privacy issues have become – more than ever before – a major threat factor to their business.
Many however still revert to the most obvious solution… hire a CISO and let him deal with this.
CISO longevity ultimately impacts organizational cyberdefense effectiveness. (Source: governing.com)
Security and data protection professionals are aware that this approach is a business risk in itself. The turnover rate of CISO’s is currently way too high. There are various reports stating the average tenure of CISO’s is just over 2 years! A very concerning product lifecycle! A fresh start, once in a while, is usually a good thing for both organizations and professionals. On the other hand, the complex role and responsibilities of a CISO do require a significant number of flying hours to familiarize himself/herself with the organization and the market the organization operates in.
Where does it go wrong? Is it time to change the relationship between the board of directors and their CISO’s to improve the tenure rate and thus the cyber risk profile of the organization?
Security and Privacy Governance
Next to markets, culture, products and services of an organization the profile of most organizations is determined by governance; the way in which specific themes in an organization are designed, operated and organized. Next to formal processes and procedures, continuously adapting and dealing with the today’s dynamics and developments, I’ve seen that governance has become very dependent on expectations and therefore expectations-management.
Things tend to go in the wrong direction when security and privacy come into play. Expectations in this field usually aren’t well aligned in many cases. I’ve noticed that the board or the CISO realize at some point in time that the expectations resulting from simply hiring a CISO do not make all cyber challenges disappear. Especially when the responsibility for ICT security governance is not explicitly assigned as a responsibility to a specific member of the board. This leaves the CISO floating around in the organization on a kind of ‘best effort’ bases.
Compliance is easy?!
The first question auditors and supervisors usually ask, when visiting and scrutinizing an organization: “Are security policies signed and supported by the board?” The management and representatives of the board, attending e.g., the opening meeting with the auditors, and the other attendees, must and will answer “Yes, of course”.
Security & Data Protection Governance 2021: effectiveness of controls is the most important key indicator of an organizations’ cyber resilience!
Stating the opposite would immediately result in a major finding; jeopardizing the e.g., ISO27001 or even an assurance statement. From a compliance perspective the answer is not far from the truth. Usually, the board of directors and their managers have properly signed the security and data protection policies presented to them by their CISO.
Compliant = effective?
Yes, I’ve been there, seen that, done that…
I’ve been in that uncomfortable position myself as well. Making the most of it and wondering why the auditors do not ask the board members present whether they are aware and informed on current cyber risks threatening their organization, actively involved and familiar with the security and privacy governance in their organization. And whether they consider their CISO to be in an effective position to support the organization, to become as resilient as possible against cyber security and data loss threats.
That should invoke an interesting and productive discussion as well as a tangible trigger for continuous improvement.
So how do we improve the risk profile of the organization and the tenure rate of CISO’s?
Let’s face it; most board members are not comfortable with the topics Security and Data Protection professionals are keen to get them involved in. CxO’s are usually born, bred and educated to bring organizations to a next level, focus on innovation and growth, taking calculated risks along the way and are not always open to – even respectful – contraction.
On the other hand, security professionals are likely to view the decisions at hand from other perspectives; focusing on risks for the business or even society. This potential mismatch is a recipe for inconvenient and uncomfortable communications. If any communication at all…
Frankly speaking, as security professionals we are to blame as well. I have seen various generations of Security Professionals dealing with this in multiple ways. Both offensive and defensive. During the last few years, I admit to have operated from a more or less defensive attitude. If progress to maintain and improve ICT security governance was not adequate; “hey, it must be me and my teams; we’ll just work even harder than before”. “If I wasn’t met with a receptive audience in the board to share my concerns and proposed solutions with them, it must be me. So, I’ll rephrase my storyline and adapt my reports and give it another try.”
Lately I have become less convinced that it is all up to the security professionals; there has to be a balance, right? Yes, we are paid well enough to work on increasingly complex and diverse activities. Responding to fascinating, incredible divers, dynamic and complex questions and situations. Benefiting from our professional knowledge and experiences. Quite interesting. Nevertheless, on average we leave our employers and organizations more often than other professionals. So where does it go wrong?
Implicit expectations or explicit security and data protection governance?
I deliberately used the words activities and responding. You will notice that strategy and governance seem to be missing. Many CISO’s are hired by the board of directors as the solution to security governance challenges. Many of us, myself included, happily rise to the occasion and take on this interesting professional challenge; dealing with anything the organization throws at us. Usually, we get plenty of maneuvering space, especially because the board is – more often than not – uncomfortable with our professional domain and topics. And especially when the shit hits the fan’ the CISO does his magic and we are all heroes.
Well, it’s time to realign the relationship and expectations of both the board and the CISO. Bottom line; to stay in business, board members and the operation itself will have to take a more active interest in the topics security and privacy professionals are concerned about.
It’s all about proper governance.
‘Security & Data Protection reports should nowadays be treated by the board like they treat and assess financial reports.’ – Paul Oor, 2019
The (prospective) CISO on the other hand will have to assure himself that he’s placed in an effective position in the organization with the proper mandate and responsibilities. Not only on paper, serving primarily compliance, but with explicit expectations between management and the CISO.
That’s the only way to get out of the reactive mode and make security and data protection professionals more effective in supporting management with their knowledge and experience. This not only makes this the organization a much better place to work for. Next time the auditor, supervisors or even concerned clients walk in and validate the awareness, information position and control of the board on cyber risks threatening organization, they will be assured that these topics receive tangible and active interest from the board. Making the organization as resilient as possible to deal with cyber security and data loss threats.
Moving from implicit expectations to explicit commitment?
With the vison of hindsight, I have become convinced that tangible interest and commitment from the board toward ICT security and data protection topics is essential in today’s organizations to ensure effective ICT security governance. And it’s time for a more assertive approach by the (prospective) CISO; thus I’ve defined the “10 commandments for board members and managers who are serious in placing their CISO in an effective position” below. No disrespect intended and do feel free to convert the items on the list into a personal checklist instead of using them as commandments. Going through these items together with the board will put the CISO in a good position to be an effective security officer and thus a valuable asset for management and the organization. Also when the auditors come in and investigate the effectiveness of ICT security governance.
10 commandments for board members and managers who are serious in placing their CISO in an effective position
- I realize that security management is not a department. Everyone in my organization is responsible for proper ICT Security and data protection and as a member of the board, director or manager I’m accountable for due diligence and due care.
- I make sure that my organization meets the ICT security and data protection expectations and contracted requirements when delivering our products and services; compliant and effective.
- I make sure that security and data protection are addressed in the (annual) business planning and reporting.
- I define Security Key Performance Indicators (sKPI) for my organization and track the progress and performance; integrated in the day-to-day business reporting cycle. I give these figures the same attention I give to the financial figures of the organization as – like financial figures – the organizations digital resilience is a multidisciplinary topic and key for the survival and growth of my organization.
- I will make sure that the views and proposals of my CISO and his team are not considered a nuisance but as valuable advice, at least until properly assessed. It’s alright if the CISO has to work hard to get some attention once in a while but I make sure that this is not the regular modus operandi and that the CISO’s opinions are not simply circumnavigated or ignored.
- I understand the importance of cyber security and privacy risks for the success of my organization and will therefore actively and timely involve the CISO and other security professionals in projects, programs, innovation initiatives etc.
- It’s OK that my CISO hasn’t made it to the boardroom but I will arrange that the CISO and security and privacy professionals in my organization are properly represented in the board and management, respected and well positioned in my organization to ensure their effectiveness.
- I will make sure that everyone is my organization is transparent and willing to report threats, incidents etc. These are always reported ASAP to the CISO and are not dealt with under wraps or otherwise obscured.
- l will ensure that my CISO has access to all(!) information in the organization to enable him to be effective and thus to facilitate him to inform the organizations’ stakeholders properly and transparent.
- I will avoid the CIA triad; i.e., simply only involving the CISO’s when dealing with Commercial opportunities, Incidents or Audits. I’m continuously interested in briefings provided by my CISO about his concerns and the organizations’ remediation initiatives. I will accompany the CISO regularly to attend cybersecurity and data protection conferences, briefings and presentations to stay on top of cyber related risks and opportunities for my organization.
I have a dream; if all these conditions are met the CISO might be out-of-a-job soon. Organizations managed like this are likely to be very successful, have security in their DNA and will seek extra competent support on a need-to and ad hoc bases only. That, or the CISO will end up with a rather dull job without too much challenges. Be assured however there are numerous organizations which will not have reached this maturity level yet and will be eager to benefit from CISO-services to enable them to successfully compete with established companies. Apart from that, the dynamics and continuous flux of ICT related topics in society and organizations guarantee the continuous need for skilled and competent security and data protection professionals. To support and sometimes even challenge the board in a professional way.
The only constant is change; in the future we will be redefining the fit and gap of ICT security governance roles and responsibilities and the relationship between ICT security professionals and the board over and over again. And yes, the commandments are a bit harsh and one- sided; that doesn’t mean the CISO is off the hook; he will have his own set of commandments to operate effectively as well, but that’s another story.
 CxO = CEO, CFO, COO etc.
 Him? Yes, in this article I refer to person(s) as him, but I’m definitely aware that here are excellent CISO’s of the other gender(s)…
 From here on I will use security (only) when referring to security and (personal) data protection as I consider these two areas fully intertwined and relevant areas of interest and activity for any CISO.
 The CISO Job And Its Short Tenure (forbes.com); Average tenure of a CISO is just 26 months due to high stress and burnout | ZDNet; 24 Percent Of Fortune 500 CISOs On The Job For Just One Year (cybersecurityventures.com)
 Security professionals will recognize this alternative CIA-triad as a teasing reference to our professional CIA-triad; Confidentiality, Integrity and Availability; our key mission.
About the author
Paul W.M. Oor CISM, CISSP, CCSP, CIPP/e
Alleen de auteur is verantwoordelijk voor de standpunten die in dit artikel worden geuit. Het artikel vertegenwoordigt niet noodzakelijk de standpunten, besluiten of het beleid van het ISACA NL Chapter. De standpunten die in dit artikel worden geuit kunnen op geen enkele manier worden opgevat als een weergave van een officieel standpunt van het bestuur van ISACA NL Chapter.
De auteur heeft alle redelijke voorzorgsmaatregelen genomen om de informatie in deze publicatie te verifiëren. Het gepubliceerde materiaal wordt echter verspreid zonder enige vorm van garantie, expliciet of impliciet. De verantwoordelijkheid voor de interpretatie en het gebruik van het materiaal ligt bij de lezer. De auteur en het bestuur van ISACA NL Chapter zijn in geen geval aansprakelijk voor schade die voortvloeit uit het gebruik ervan.
The author alone is responsible for the views expressed in this article. The views mentioned do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter.
All reasonable precautions have been taken by the author to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the author or the board of ISACA NL Chapter be liable for damages arising from its us