ISACA Now Blog

Eddie Schwartz: The State of the CISO

Eddie Schwartz, CISA, CISM, CISSP-ISSEP, PMP, President and COO, White Ops, Inc., ISACA Board Director

| Posted at 3:20 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)
Three decades ago, the invention of the chief information security officer (CISO) role seemed like a brilliant idea. Imagine the benefits of a
C-suite position for cyber security and how such an executive role would help ensure members of senior management take the issue
seriously and provide needed support across the organization. Maybe. Maybe not.

The first generation of CISOs primarily focused on creating information security programs and the role of security relative to emerging
compliance demands across the public and private sectors and the needs of the board’s audit committee. Unfortunately, unlike their physical
security counterparts, CISOs largely did not specifically focus on the protection of assets and the mapping of bad guys (threat) and
vulnerabilities to those assets, but on the efficacy of the compliance efforts regardless of the effectiveness of the actual controls. This
approach has created a gap in skills and a focus in the industry that has haunted CISOs ever since.

Cyber security is a multi-billion-dollar industry that continues to spawn more technology and more high-paid jobs than most other areas of IT. But where is the evidence
that all of this investment, growth, training and effort have helped the industry improve their abilities to detect and deter the bad guys? Fear, uncertainty and doubt often
show up in the PowerPoint presentations of vendors and in the internal marketing agendas of CISOs, but the corresponding solutions have not produced the tangible
business value or effectiveness that have been demonstrated in other IT fields or even in adjacent fields such as fraud detection or physical security.

Criminals, nation-states and activists seem to be successful at cyber attacks whenever they wish to be. Gone are the days of statements from CISOs such as “we have
never been breached.” Many CISOs now set the bar fairly low on protecting the most valuable corporate data versus creating the boardroom expectation that data
breaches are inevitable. Some CISOs blame the early focus on compliance, or IT’s focus on agility and technology change, or the ineffectiveness of security technology as
causes of the current predicament. Others feel the real problem is the lack of resources, whether budgetary or properly trained cyber security people.

CISO to Chief Scapegoat Officer ASAP

It is not surprising given the lower expectations and results that some well-intentioned and seasoned cyber security professionals go from CISO to Chief Scapegoat Officer
in short order. Part of the problem is that even after nearly 30 years, the purpose and promise of the CISO is still very much unsettled. Some believe CISOs are not
powerful enough or properly positioned in the organization to accomplish the job they have been asked to do.

There are long-standing arguments over the proper reporting relationship of the CISO. If the CISO reports to the chief information officer (CIO), he/she can have direct
impact to the IT organization and a seat at the table, but many CISOs continue to believe that such a relationship removes “independence” from the CISO’s agenda.

On the other hand, moving the CISO to report to a non-IT supervisor, such as a chief operating officer (COO), may place the position under someone who does not
adequately understand technology in some industries, or may not devote the level of interest to the CISO’s agenda versus actual or perceived revenue-generating
activities.

What Top CISOs Know

What many top CISOs do know is that to be effective going forward, they must understand the business and make themselves relatable. Over the long run, CISOs cannot
maintain the levels of growth in capex and opex spending they have enjoyed unless they can demonstrate a clearer linkage to business results, deliver protection of
shareholder and business interests quantitatively, and measure the impact of their efforts in ways that non-security and IT people can understand.

Although the CISO role still is nascent compared to many C-level jobs, it must evolve faster to survive—with agility and a scope that spans security, business, IT and
corporate governance.

Editor’s note: Eddie Schwartz, President and COO, White Ops, Inc., and ISACA Board Director, will be a senior speaker on a Cybersecurity Information Exchange
Panel at theinaugural CSX Europe conference 31 October-2 November in London, and will be a keynote speaker at the inaugural CSX 2016 Asia Pacific
conference 14-16 November in Singapore, presenting The Challenges and Opportunities of the CISO in Today's World. ISACA will also present the 2016 CSX
North America conference 17-19 October in Las Vegas.

ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING
NOTICE AND TERMS, CLICK HERE. BY CONTINUING TO USE THE SITE,
ACCEPT COOKIES, AND OTHER SIMILAR TECHNOLOGY. ACCEPT
YOU AGREE TO THE REVISED TERMS. BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF
Comments YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT
REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.
 Very nice summerized article
Very nice summerized article for CISO carrear and progress through its life time.

Totally agree, that the CISO role still is nascent compared to many C-level jobs, it must evolve faster to survive.
AlaaRagab at 10/11/2016 8:53 AM

FUD is not a board fundamental

Fear , uncertainty and doubt may get you a few bucks but not the trust or respect of your board,peers and customers in the long term. The role of the CISO has been a
twisted path since so many people come into the security profession with VERY different backgrounds, experience and expectations of what is important to the
organizations and entities we are charged with protecting. As your article states need to have BOTH business and security acumen to go forward.

Jean632 at 10/31/2016 2:16 PM

You must be logged in and a member to post a comment to this blog.

ISACA HAS CHANGED ITS PRIVACY NOTICE, TO ACCESS THE REVISED THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING
NOTICE AND TERMS, CLICK HERE. BY CONTINUING TO USE THE SITE,
ACCEPT COOKIES, AND OTHER SIMILAR TECHNOLOGY. ACCEPT
YOU AGREE TO THE REVISED TERMS. BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF
YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT
REQUIRED BY ISACA. OUR AD AND COOKIE POLICY IS LOCATED HERE.