Way beyond the justification of ad-hoc investments and pet-projects for the CISO, metrics have to be at the heart of the sound security practice, but they must be focused on tracking progress in time in support of a long-term transformative vision.
With regards to many other C-level roles, the Chief Information Security Officer (CISO) position is a fairly recent creation for many organisations. Although it started to emerge over 15 years ago, it has been spurred further recently by growing concerns over cybersecurity and highly publicized data breaches. Figuring out its right place within organisations is still quite a hot debate between management and security experts
The role of the CISO in its historical technology-driven perception is not outdated yet, but it is under threat and losing ground. The firms looking to reverse this trend need to act at three levels
Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved. It has been polluted for decades by arbitrary and simplistic views on “separation of duties” and alleged “conflicts of interest”. But those views often come from sectors of the corporate spectrum with a fairly theoretical idea on how an organisation should operate, and rarely reflect the reality of how large organisations function.
There is some form of management reality beyond the “100 days” journalistic cliché: How does an incoming executive make an impact in a new role? What are the real timeframes to look at, and what can be expected and over what horizon? What are the key issues that should raise a red flag during the first few months in a new senior position? and those which can be ignored?
It is one thing – complex enough – to lead and deliver the cyber security transformation of an organisation that has reached the point where it knows it needs to change, but it is another one – equally complex – to create the condition for such realisation to take place.