A few months ago I was listening to a podcast. The business owner being interviewed wasn't in cybersecurity but had a consulting business. And he talked about how he operated his business with a Fiduciary Standard of Care.
He defined it as: “an advisor must put their clients’ interests above their own”
Interesting.
For years we’ve avoided reseller opportunities and product offerings that could influence our advice or even the perceived integrity of that advice. But I'd never heard it described as a fiduciary standard of care.
It describes how we've decided to run this business for the last 8 years but it's using language that other well-known professions have been using for centuries. I've been hearing a lot of buzz lately on podcasts and LinkedIn about how the CISO profession needs to evolve to be more like lawyers and CPAs. This would include certifying bodies and, more importantly, a code of ethics.
So I started asking questions like:
Is that just how we run our business?
OR
Is that how all vCISOs should operate?
OR (and this is the interesting part)
Should ALL CISOs operate with a fiduciary standard of care?
To get our answer, we have to go a little deeper into the root of the word “fiduciary”.
Fiduciary comes from the Latin word “fidere”, which means trust. Today’s definitions often point to the relationship between a trustee and beneficiary, but the more general definition is : “involving a confidence or trust”
The fiduciary relationship is commonly associated with financial advisors, but it extends to many other professions where trust is involved, like lawyers and doctors.
Doctors have a legal fiduciary responsibility to their patients called the “physician-patient relationship” (1):
“…its foundation on the theory that the physician is learned, skilled and experienced in those subjects about which the patient ordinarily knows little or nothing, but which are of the most vital importance and interest to him, since upon them may depend the health, or even life, of himself or family.”
That sounds really familiar.
All you have to do is substitute “CISO” for “doctor”, “business owner” for “patient” and “financial and operational sustainability” for “health…” and you have:
“…its foundation on the theory that the CISO is learned, skilled and experienced in those subjects about which the business owner ordinarily knows little or nothing, but which are of the most vital importance and interest to him, since upon them may depend the financial and operational sustainability of his business.”
I have a very tough time arguing against that as describing the responsibilities of the CISO to their client or employer. And it tells me that CISOs (both conventional and virtual) should operate with a fiduciary standard of care – and more importantly, business owners, boards of directors, and executives should expect that from their CISO.
What does that mean in practice?
It means that you need to have a CISO that you can trust.
It also means that you shouldn’t put them in positions where it's hard to hold your interests above their own. Keep your CISO separate from all IT operations and reseller relationships, where they could stand to gain in career or finances from their advice (again, this is true for conventional and virtual).
The CISO is a position of trust, regardless of whether it is in-house or outsourced. The CISO needs to always act in the best interest of the business it serves. We believe that all starts with having someone that is independent and qualified in that role. If your bank or credit union is having a tough time finding that person, let us know and we can help you explore your options. Email us any time at support@bedelsecurity.com.
References: