Security Leadership: Is it Worth it to be a CISO?

Chief Information Security Officers (CISOs) are under fire right now and with good reason.

Recent high-profile cases and the accompanying legal allegations might make you pause and wonder, "Is the risk worth it?"

In my experience, the answer lies in defining the goals, responsibilities, and requirements associated with the title. It’s about establishing effective methods to meet these responsibilities and understanding the repercussions of failing to perform these duties.

With all the issues, challenges, allegations, and charges being leveled at some CISOs why would anyone want to be one? Is the job of a CISO really that risky?

Let's delve into actions to safeguard both your organization and your career.

What is a CISO’s Role, really?

CISOs are responsible for the overall information security of their organization.

This involves understanding the risk tolerance set by the executive board and aligning it with the actions and activities of the IT team to mitigate the risks within that tolerance.

The executive role of CISO requires an individual to balance business risk with security risk and apply appropriate governance to achieve this balance.

To ensure this is being met, a CISO should rely on validation and verification methods and mechanisms to ensure these strategies are being implemented successfully. This should be done through a combination of third-party assessment, internal audit and documentation, certification, and technical validation/enforcement.

How to Set the Tone for Your Organization

Governance, Risk, and Compliance (GRC) is the lifeline for any CISO aiming to make a positive impact on their organization.

It provides overall guidance on what your organization should be doing, how they are going to do it, and validation of those processes.

GRC isn’t a ‘one-and-done’ process, it becomes part of the overall corporate culture.

The culture sets the tone for everyone in the organization from the executive suite to the front-line workers. Everyone has a part to play, and everyone has responsibilities for maintaining security.

The risk comes from failing to set and enforce the proper role of security within the organization.

If employees think it’s acceptable to ignore an audit result or if an executive believes it’s okay to accept the risk of a missing control, these decisions will continue as part of the normal course of action for the organization.

Instead, consider discussing the details and documenting the discussion and final decision.

Regular reviews ensure the risk tolerance of the organization hasn’t changed.

Not only does this foster open communication, but it also signals to everyone involved that decisions are shared jointly among the group. Reviews ensure everyone understands the risk, control, resources, and results before making a final decision. Additionally, it builds personal accountability for everyone involved in the decision, not just the CISO.

Why Chasing Certifications Isn’t the Answer

While many organizations choose to pursue certifications to ‘validate’ their security, this approach is wrong and only validates the effectiveness of a limited set of controls for a specific period.

An effective GRC and Security Program should stand on its own, meeting security standards without relying solely on certifications. This program can be based on any one of several frameworks – ISO, NIST, CIS, or other industry-specific guidelines.

The best programs combine the guidelines from frameworks with specific items related to the organization’s industry and specific operations and culture of the organization.

Once this framework is established, the processes can be implemented, audited, tested, and verified.

Using this method of establishing the overall framework and building GRC around this framework makes the certification process easier because instead of building a program around a single process, you are allowing that certification process to act as an audit of your existing program.

Conclusion

Recent scrutiny emphasizing personal responsibility for CISO actions should prompt reflection, not fear.

Establishing a Security Program based on a recognized framework and implementing GRC controls around it is the starting point.

Cultivating a culture of security awareness and documented decision-making involving both executives and technical members enhances understanding of overall risks and the organization’s risk appetite.

Certifications like SOC2, ISO, and others should not be pursued solely for compliance but as reflections of an existing culture of security.

If your organization is struggling to establish a Security Program or a culture of compliance, or if you are seeking an experienced third-party assessment of your controls, reach out to the PacketWatch Advisory Services team today.

Todd Welfelt has an Information Technology career spanning more than 25 years. 

Todd has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the
needs of compliance frameworks as well as provide real-world risk reduction.

If you need help with your compliance or accreditation programs, please contact PacketWatch so we can discuss how we can help your organization meet and exceed its compliance goals.