The first-ever CISO, the late Steve Katz, earned the title chief information security officer at Citicorp in 1995 after Russian hackers stole more than $10 million from the financial institution. Thirty years later, this relative late-comer leadership role remains largely misunderstood — and subject to greater responsibility volatility than more traditional and established leadership roles such at CFO.
It is no surprise, then, that many employees and even executives do not fully grasp what their organizations’ CISOs do — a problem many CISOs run up against in fulfilling their primary responsibilities for the enterprise.
“A CISO does everything related to cybersecurity that nobody else in the company wants to do,” Andy Ellis, CISO, Partner at YL Ventures, and advisor to cybersecurity startups, tells CSO.
“That sounds trite, but that is the elevator pitch for the longer thing, which is that a CISO is the other half of the CIO. CIOs basically stopped doing innovation and governance in 2000 and became cost cutters,” Ellis says. “Somebody had to care about cybersecurity because nobody else did. And so, the CISO’s job has been to sort of pick up the cybersecurity pieces that are parts of other people’s jobs.”
The haphazard evolution of the job highlights the problems CISOs face when colleagues and regulators have a poor grasp of what they do. This lack of understanding can lead to misunderstandings, resource misallocation, and even potential legal liability, as evidenced by what many see as the SEC’s overreaching inclusion of SolarWinds CISO Tim Brown in a years-long and bruising legal battle based on a misinterpretation of his duties.
Driving the confusion are the blurred and variable parameters of the job. This lack of clarity is compounded by the fact that most CISOs continue to operate with less-than-desired decision-making authority despite their heavy duties and executive-level sounding titles. Nevertheless, experts point to ways that CISOs can better define their jobs and communicate them both inside the organization and with external stakeholders.
So, what do CISOs do?
One of the fundamental problems in defining the CISO role is that it varies from organization to organization, and where the organization stands in terms of cybersecurity maturity. Moreover, the nature of the job can change over time.
In a less mature organization, CISOs “tend to be pretty technical,” Bethany DeLude, CISO emeritus and former CISO of the Carlyle Group, tells CSO. “They might be the strongest security engineer in the organization. This type of CISO is like, ‘Let me just put out fires. Let me make sure we’re not hacked. Let me get our house in order.”
In a mature organization, on the other hand, the CISO is “an executive leader who is focused on strategy, business relationships, brand-building, thinking of how cyber creates value for the organization,” DeLude says. This kind of CISO thinks about “how do I create value for this organization through my subject matter expertise? That’s why I think there’s blurriness. Moreover, the right CISO for the same organization can change over time.”
The changing nature of the CISO’s role, along with the shifts in threats and risk management strategies, means that pinning down a CISO’s responsibilities is a virtual impossibility. “It’s an evolving situation, and every year a CISO’s role has to be kind of re-analyzed to figure out, okay, what do I need to do,” Dale “Dr. Z” Zabriskie, field CISO of Cohesity, tells CSO.
He adds, “We’ve gone through that time where the board or the CEO or the company points at the CISO and says, ‘It’s your job to protect us.’ We’ve moved away from that to where the best thing a CISO can do is to be connected at every level of the business to understand from each department leader and demand from that leader what data, what systems they are responsible for. Then the CISO can determine the best course of action based on acceptable risk.”
What this means to some experts is that CISOs need to feel their way around the organization before defining their jobs more concretely. “It’s the CISO’s responsibility to finalize their own job description, essentially, and set expectations based upon the risks and how that aligns with bits of strategy and the actual culture that exists,” Susan Chiang, CISO of Headway, tells CSO.
Chiang thinks the great leveler across all organizations for CISOs is that ultimately “the mission is the same, which is — whether you’re at a company, government, or nonprofit — to reduce risk, especially on traditional security.”
Even though it might not be possible to develop a constant and unchanging definition of what a CISO does, it would help smooth relationships across the organization if a standard definition existed. “It would reduce the friction if there was clarity on exactly what the CISO needed to do and where the boundaries are,” Omar Khawaja, field CISO and VP of security at Databricks and faculty member at Carnegie Mellon University, tells CSO.
‘Chief’ in name only adds to the confusion
Like other executive-sounding titles, such as chief marketing officer, chief revenue officer, chief technology officer, and others, CISOs sound like they should be officers of the company with broad decision-making capabilities, but in most cases, they lack any actual power.
“There are some CISOs that sort of rise to what it means to be an officer of the company, and they’re then treated as such, regardless of their reporting relationships,” Khawaja says.
“I’ve seen CISOs that are four levels down from the CEO, but they are seen as a first-class member of the executive suite,” he adds. “I have seen CISOs who are a direct report of the CEO, and they have almost no influence and no authority. So, it has very little to do with the actual reporting relationship and the organizational structure. It has much more to do with the ethos and the behavior of the individual themselves and the quality of the relationships that they make with the CEO, with the board, and with their peers.”
Ellis says, “There’s been this explosion of C-level titles that are not C-level roles in companies. The CSO [chief security officer] was the first of them. I think the CIO and the CMO were the last new ones to become part of the C-suite, and almost everybody since then is not part of the C-suite. They’re always a step down.”
But Ellis thinks this lesser role that CISOs occupy will not last for long, given how vital cybersecurity is. “I think we’re more likely to see an evolution of the CISO back into a CIO- or CTO-type role. If you look at what a CIO does today outside of the Fortune 500, they’re a procurement officer for commodity hardware and SaaS services. That’s not a C-level position. But that combined with the CISO is.”
Headway’s Chiang believes that even if CISOs don’t merge back into CIOs, they’re likely to attain more power. “We are moving to more standards and norms around what a CISO does, which in some ways is a natural follow up to what CISOs now need to ensure, for example, being a named officer by the board and therefore having the same level of liability coverage as a CFO, for example, in some of these risk decisions.”
How CISOs can communicate what they do
No matter where the organization is on the cybersecurity maturity curve, or how little executive power a CISO truly has, experts say there are ways to communicate the CISO’s duties so that internal or external stakeholders have a clearer idea of what they do.
Very few standard documents exist that can help with this task. Cybersecurity board advisor Rafeeq Rehman produces each year a “CISO MindMap,” which is a visual achievement that crystallizes what CISOs do. But it is intricate, displaying hundreds of duties that any given CISO might undertake.
“I wouldn’t share that mind map with my peers,” Chiang says. “It would overwhelm them.”
Ellis has produced The Idealized CISO Job Description, which is all-encompassing in describing the complex range of CISO job responsibilities. But, few CISOs have ever carried this level of duties. Ellis says he knows of only 100 or so CISOs who have met the idealized criteria, and “they’re mostly all in the CISO Hall of Fame at this point,” he says.
Instead of sharing these complex and specialized documents, Chiang says CISOs should “look for ways to tell the story from our shared customer’s perspective,” to paint a picture of what they do in terms of providing access or reducing risk, for example. “That moves us away from maybe thinking the CISO is a decision-maker, which they are almost never. They’re advisors and helpers and enablers, and show up when things go wrong.”
“The first thing a CISO has to do is learn to speak the language of the person to whom they’re speaking and to determine what they are measured on, what is best for them.” Dr. Z says. “Determine what’s important to this person or this department or this office, and how you can show your relevance to that.”
Ellis thinks it’s essential for CISOs to show their work to customers in person. “You want everything to be in person,” he says. “You want to have conversations with people, and they should see the work that you do. You should never tell them, ‘We did this thing.’ They should see what you do and really what you help other people to do.”
Moreover, in communicating throughout the organization, CISOs’ messages will carry greater weight and be more memorable if they give credit to others. “Mention what somebody else in the company did that protected the company,” Ellis says. “This engineering team just built us an amazing multifactor authentication system that is seamless. These are the people whom you should be thanking. Everybody will want to work with you — the only one who’s thanking other people.”