The CISO and the Business
Keep appointing pure technologists in CISO roles and you’ll never win
The Wannacry ransomware attack that affected so many large firms in May 2017 led to a number of animated discussions amongst InfoSec communities.
The corrective patch (fixing the vulnerability targeted by the malware) was out since March for supported systems and many firms were badly hit because of their reliance on the unsupported Windows XP (which reached end of life in 2014).
The timely deployment of security patches has been regarded as a fundamental security good practice since the CodeRed, Slammer and Blaster virus outbreaks over 10 years ago, so how can it be that so many large firms are still struggling with this today?
It cannot be just a matter of security investment: Many of the firms reportedly affected by the outbreak would have had fully functioning security practices all that time and would have been spending millions every year on security products.
It has to be a plain matter of adverse prioritisation of security issues by IT and business leaders.
Which brings under the spotlights the role and profile of the CISO in those firms. Surely it would have been the CISO’s job to ensure that those matters remain on the agenda of the right leaders, to communicate their urgency, to drive remedial programmes, and to keep hammering at it until it gets fixed.
What is the security community doing wrong, if it is collectively unable to address a technical issue such as the timely deployment of security patches, over a period of time spanning more than a decade?
One reason that is often put forward by security technologists refers to a language disconnect between the CISO and the Business. Somehow, CISOs are not being heard by business leaders and would need to learn to “speak the language of the business”. Such assertion – in itself – raises concerns about the actual profile of the CISO if there are question marks over their ability to rise above mere technological arguments and present them in a language a non-specialist would understand.
Of course, many CISOs are technologists by background; and frankly, security has rarely been seen as a pathway to the top in IT circles, so very often the CISO is either in that job because of a personal interest in the technical aspects of the topic … or because there was little else for them to do.
To break the spiral that has led to the past “lost decade” on cyber security matters, you urgently need to inject talent into the security industry.
It is primarily managerial excellence that is missing and it will have to be attracted by rewarding the right skills at the right level. It is also a matter of cultural transformation for many firms, because it is about changing the value scale on which security is being judged.
To attract the best leaders, Security – i.e. the protection of a firm’s assets – has to be seen from the Board down as something fundamental that the firm values and rewards. Not as something you can compromise on to maximise profits, or imposed upon you arbitrarily by regulators.
And if you want your CISO to “talk the language of the business”, you could start by appointing someone from the business!!! … or at least an IT leader who is not a mere technology hobbyist and has a true transversal view of your business.
A lot of this is about context:
If you present the patch deployment issue as an IT issue, you will be heard by your business in an IT context and prioritised against other IT topics.
If you present it as a matter of fundamental protection against real and active threats, you will be engaging at a different level. But as a CISO, you will need the right voice, the right gravitas, the right profile in the firm to be heard. This is not only a rational argument. You’ll have to use every fact you can find, and always focus your communication with other business leaders on those facts and on the reality of the threats. You’ll have to pick your battles and strike at the right time to convince the right people. You’ll have to break the “bias of imaginability” – theorised by Kahneman – and it will take time. This is a very serious management role that requires a truly senior profile and a considerable amount of experience. And the willingness to stay on for the right course, and that could be considerably more than a mere couple of years.
Keep appointing pure technologists in CISO roles and you’ll never win. The protection of the information the firm needs to function is not a mere technology matter, contrary to what many tech vendors would like you to believe. It has a profound cultural dimension that is at the heart of the relationship between the firm and its employees: You protect naturally what you care about. If your CISO embodies that relation, everything they do will carry that weight and you’ll move forward.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.