The CISO position has been around for some time now. Despite that, the role in many organizations is still maturing. Some companies still don't have a CISO, and for those that do, there are some growing pains when it comes to how this critical role fits in among already existing members of the C-Suite.
The Chief Information Security Officer (CISO) is a leader of the cybersecurity and information security program, who manages risk while finding ways to achieve business initiatives. By this definition, the CISO must work collaboratively with other leaders and executives in the organization to be successful.
But, in talking to community banks, there is an avoidable mistake that many new CISOs (less than 18 months in the position) are making that jeopardizes their ability to be a contributing member of the team.
That mistake can be summarized with one phrase: Lack of Priorities.
If Everything is Important, Then Nothing Is
There are numerous skill sets that every CISO must possess. But we've heard and seen time and time again, that without proper prioritization, their effectiveness can be impacted in a big way.
One of the key functions of a CISO is to identify areas of risk and clearly communicate those risks to other members of the management team. Without priorities, that communication gets really foggy. This can cause several negative results:
- The sky is falling: When everything is an emergency, it doesn't take long for everyone to label the CISO as Chicken Little.
- The big stuff gets lost in the noise: When every risk is categorized as 'high', the truly important action items don't get the attention they deserve.
- Lost credibility: If the CISO is consistently guilty of #1 & #2, they will quickly lose credibility with management and the board. And, if in the process, they are making others' lives miserable, they will lose goodwill with their peers.
- Dismissal: Yes, this can all ultimately mean dismissal and the hiring of a new CISO. We've witnessed this several times. Once the CISO hits #3, it can be really tough to repair trust and relationships. The only way to fix it for the organization is to start over.
(For more about this topic check out out post: If Everything Is Important Than Nothing Is)
Why Does the CISO do this?
While every CISO is different, and personality traits can play a factor, there are some recurring causes to this approach:
- Fear, Uncertainty, and Doubt (FUD): though I'm personally opposed to this approach in cybersecurity, FUD can be a way to prove a point, or teach a concept when a new CISO hasn't yet developed their own internal rapport.
- Get the attention of management: sometimes it's tempting for a new CISO to make an early name for themselves by "uncovering" a major issue or risk in the organization.
- Nervous about being blamed: Some CISOs have enormous pressure on them to "keep the organization out of trouble". When this happens, some CISOs tend to lean toward risk avoidance rather than risk management to avoid being blamed for an incident.
What Can Management do to Avoid This?
The management team will want to prevent this situation with their CISO at all cost. Going down this road means you'll have an ineffective member of your team for about 6-12 months as you figure out what to do with them. And every manager knows that turnover is costly and difficult. Even if you commit to fixing the problem after it is started, it will be a long process to re-establish their internal credibility (and it may not work at all).
There are several things that can be done to avoid this:
- Hire properly: Does your CISO have the right mix of skills when you hire them? (see Six Pillars of Knowledge and Expertise here)
- Set a culture of cybersecurity: If your CISO is on a one-man mission to save your organization from the cyber-apocalypse, you can count on them overstating just about everything. Set a culture of top-down responsibility for cybersecurity. Let them know you are all in it together.
- Get your new CISO a coach or mentor. Think about how valuable it would be for them to have someone to bounce ideas off of, and discuss what it really important. Their learning curve will be dramatically reduced and your team will thank you for it. It may cost a bit upfront, but it's an investment in the long run.