There are numerous articles out there which discuss this issue. Here is a small sample:

• Harvard Business Review: Boards are Having the Wrong Conversations about Cybersecurity
• CNBC: Cybersecurity Experts Have Become Targets for Board Seats
• Mimecast Blog: Boards of Directors Rising to Cybersecurity Challenge

Many companies have elevated their CISO (or CIO) to report to the board.  This can provide the board with regular insight into the security posture of the company. While the CISO and board both share a governance responsibility, that governance differs in some important ways.

Some of the challenges of having a CISO report to the board include:

• Communication barriers. Board members seldom possess security expertise. They are unlikely to engage the CISO in a meaningful conversation about vulnerabilities, risk management, or compliance.  This communication gap makes it difficult for the board to effectively hold the management team accountable.  It also makes it difficult for the CISO to effectively inform the board on complex security issues.
• Divergent focus. Boards are strategically focused while CISOs must remain operationally focused.  This creates a natural divergence between these two groups, which can further exacerbate miscommunications, misunderstandings, and missed opportunities.
• Reputation bias. Employees of the company, such as the CISO have a vested interest in protecting their reputation. They will overemphasize their accomplishments while downplaying their failures. Do you really think a CISO will come to a board meeting and report that security is a mess and he is failing to do his job?  Probably not.
• Lack of context. Security is dynamic and volatile.  To build an effective strategy, a board must look beyond the company into broader industry and threat landscape trends.  A CISO working at a single company will struggle to bring such perspective to the board.
• Stress. Increasingly, boards are making demands of CISOs they are unable to fulfill.  This is causing a dramatic rise in CISOs resigning to find less stressful environments.

The answer to these and other challenges is to appoint an independent cybersecurity expert to the board as an observer.  This person can serve as a liaison between the CISO and the board.

Let’s assess how an independent expert can benefit the board.

1. A Strategic Approach to Cybersecurity

Cybersecurity cuts across multiple dimensions of a company.  It is a both a technical operational challenge as well as a strategic issue as well.

Including a cybersecurity expert on the board ensures security concepts are integrated into the strategic planning process.  When an executive is championing a new product or feature, the board advisor can weigh in on the potential security implications.

For example, right now many startup CEOs are fascinated with AI.  They all saw the meteoric rise of ChatGPT and want to get a piece of the action.  The problem is that AI opens the door to numerous security challenges.  Any strategic plan must address issues such as data governance, sanitization, and provenance.  Without a clear understanding of these security implications, the board may greenlight a project while also greenlighting a massive data breech.

A security expert on the board can provide context for these issues.  Mostly, they can ask the executive team tough questions about these plans and hold them accountable.  This is a good segue to the next item on this list.

2. Accountability and Independence

Company boards are responsible for overseeing governance of the entire company, not merely sales or finance.  This means oversight of cybersecurity, risk management, and compliance as well.  Unfortunately, board members (such as investors) are seldom skilled at these concepts.  As such, they are highly susceptible to being misled into complacency.

Independent advisors can ask tough questions that a CISO or CIO may be reluctant to ask.  Moreover, an advisor is more likely to point out flimsy excuses.  In my experience, when technical people are struggling to deliver results, they routinely resort to avoiding scrutiny or blaming others for their problems.  An independent advisor can identify these and hold the team accountable.

Independent advisors have greater freedom to uncover truth, thereby allowing the board to hold them accountable.

3. Wading Through Compliance

If you have ever spent time doing security compliance work, then you know how profoundly difficult it can be.  Compliance is an impediment to progress.  It is expensive, time consuming, and fraught with misinformation.  It is also absolutely necessary.  Failing to meet regulatory requirements can severely restrict a company’s opportunities as well as expose them to fines.

Most boards wave off compliance as an irritant.  They task the CISO with the job without an appreciation for how difficult that job can be.  Moreover, the pedantic nuances of compliance create an impenetrable communication barrier, which both employees and auditors can exploit to avoid accountability.

An independent advisor breaks down these barriers.  They can interact directly with auditors and employees to ensure compliance initiatives remain on track and do not squander company resources.

4. Strengthened Incident Response

When a serious security incident happens, the entire organization as well as partners, vendors, and customers will be looking to the executive team for leadership.  Invariably, those parties are going to want to know the board’s involvement.

A security advisor to the board can play a crucial role before, during and after an incident.  Before an incident, the advisor can ensure resilience planning and automation are being integrated into every business function.  During an incident, the advisor can liaison with executives, authorities, and the public to present a united front among the leadership team and the board.  After an incident, an advisor can facilitate a “blameless postmortem” process to ensure the company does not repeat the errors or oversights of the past.

Lastly, advisors can provide valuable contextual guidance with emerging resilience technologies.  For example, one such solution is Moving Target Defense (MTD), which can dramatically improve operational resilience to attack.  However, MTD is still a nascent technology.  An advisor can provide the board and executives with valuable insights from other companies on the capabilities of these new technologies.

5. Building Trust

After years of leading a security company, I discovered a simple truth about security sales: credibility creates trust.  If you want to build trust with security practitioners, you must demonstrate you understand their profession.  A nerdy conversation about PKI or Palo Alto Networks reassures a practitioner you understand them.  When people trust you, they tell you the truth.  Such as how vulnerable the company is to attack.

A board member who calls the CISO to discuss security will only spark panic.  Both their position on the board and their lack of experience fosters a credibility gap with the CISO.  This leads to clumsy conversations that fail to uncover the truth.

Independent advisors with a background in security can credibly interact with the organization’s technical team.  They can gather useful insights and report these back to the board.  When organizations deal in truth and trust, they can address problems more effectively and accelerate strategic plans.

What to Look for In an Advisor

If you are ready to appoint an advisor to the board, there are five key skills you should seek.

1. Executive Experience. The person must have experience as a c-level executive in the past. Preferably as a CISO, CIO, or even a CEO.
2. Hands-on Security Knowledge. The advisor must possess operational security expertise.  They must be able to engage technical people in credible conversations based on their experiences.
3. Listener. The ideal advisor listens first and then provides meaningful, relevant feedback.  Do not hire a pontificator who masks their insecurities and inexperience with bravado and blather.
4. Communicator. The advisor must be comfortable and articulate in front of an audience, especially investors.
5. Network. Good advisors have a network of fellow security professionals whom they can turn to for insights that fall outside their expertise.  Moreover, they can call upon that network for recommendations for vendors or auditors.

Conclusion

There are numerous benefits to appointing a security advisor as a board observer.  Moreover, there are ample professionals who can fill this role.

Obviously, Zenaciti offers these services, so we are biased to the value of such advisors.  However, I have watched numerous startups flounder as they ignore the security landscape, sinking deeper and deeper into delusions of “we got that covered.”  Do not allow your company to be run on the whims of hand-waving and hope.  Put a security expert on your board and run the company based on truth and trust.

The post The Imperative Role of Cybersecurity Experts on Company Boards appeared first on Zenaciti.

I am not the only one noticing all these stressed out CISOs. Here are a few recent stories:

• CISOs Have the Toughest Job in the World
• CISOs Struggle to Cope with Mounting Job Stress 
• Average tenure of a CISO is just 26 months due to high stress and burnout (which cites the same report as the first item)
• I Was A CISO for Six Years — Here’s Why Burnout Is Such A Problem 

I spent time lurking in CISO hang outs recently.  I heard a lot of stories that all centered around a common adjective: frustration.  CISOs are under tremendous pressure to keep their organizations safe.  There is too much to do, too little time, and too few resources.  Moreover, the complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult.

However, frustration is only part of the story.  There is another adjective I heard frequently: hopeless. One CISO summed it up succinctly: “they blame me for everything that goes wrong.”

Yeah, I know how that feels.

Maybe this is why many CISOs get the title Chief No Officer slapped on them?  Faced with hopeless odds of success, it is easier to say no than to fight to make things work.  I used to think CISO that did this were weak leaders.  However, the more I hear them talk, the more I think they are stuck in a classic Kobayashi Maru (a no-win scenario). No matter what they do, they get blamed.

It works something like this:

1. Company hires a new CISO
2. The expectations are ludicrous:
   • Executives and board members expect the CISO to protect the business with absolute precision and perfection.
   • Other departments expect the CISO to implement security without disrupting any existing business functions.
   • Third party vendors expect the company to align with several intricate compliance regimens.
3. The CISO implements a plan.  There are two common outcomes:

The CISO implements effective security controls: 

• • • The controls fail, company gets hacked  > CISO blamed and shamed
    • The controls work, but it causes other systems to fail > CISO blamed and shamed
    • They work, security becomes routine and dull. Executives wonder why the company spends so much on security > CISO blamed and shamed

The CISO is unsuccessful, security languishes: 

• • • Company hacked > CISO blamed and shamed
    • Company somehow does not get hacked, executives wonder why they have a CISO and no security controls > CISO blamed and shamed
    • Company fails a compliance audit > CISO blamed and shamed

5. The CISO quits or is fired
6. GOTO 1

There is no way to win.  Mistakes in security (and technology as a whole) are common.  Since many CISOs rose through the ranks from technical roles not business schools or investment firms, they usually lack the skills to navigate the petty politics of organizations.

When people are trapped in situations where they feel they cannot succeed, they become bitter, resentful, and eventually give up.  Why work hard when you will be blamed for every problem, whether you caused it or not.  I once witnessed a company put their entire environment at risk, because a vice-president wanted to spite the security team for using a different cloud service provider.  Eventually, the CISO tired of these antics and left the company.

It is unsurprising then that many CISOs feel frustrated and are quitting. With that in mind here are some ideas for CISOs stuck in a frustrating job:

• Adapt Communications: Each person you interact with has a particular communication style. Take a moment to consider how people will listen to you more effectively.  Some people prefer to get right to the data, while others may require a gentler touch. Remember, you are responsible for being heard.  It is not the listener’s responsibility to understand you.
• Stay Strategic: Play the long game.  Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.
• Snuff-out the Gaslighting: One-way bad leaders distract CISOs is with irrelevant questions and faulty logic.  For example, they may use anecdotal reasoning, where they recite some situation from their past an expect you to replicate that when you know it will not work.  Listen, show respect, placate where necessary, but stick with your plan.
• Arm Yourself with Data: When the blame starts flying, have data on your side.  Data might not save you, but it is a powerful weapon against the forces of idiocy.  Make sure goals, plans, and commitments are documented.
• Stay Off the Range: Security is an easy target for developers, IT, finance, HR…everybody who needs a scapegoat.  Do not allow your team to be unprepared.  Be on top of your goals, metrics, and plans.
• Hold Vendors and Service Providers Accountable: Do not allow the companies providing you products or services to skip out on their commitments.  If a vendor promises you something, get it in writing and require them to deliver.  This is how you can show strength, resolve, and discipline.  Be firm, do not be a jerk.
• Battle the Bullies: You may have board members or executives who think they are security geniuses because they have money and authority.  These people are often deeply insecure bullies.  Keep your discussions with these people focused on threats.  Talk about the competition, ransomware, hacker groups, and all the catastrophes that will unfold if security is sidelined.  Bullies innately understand threat.
• See and Sell a Brighter Future: It is difficult to scapegoat a person who speaks of a brighter, better, and more prosperous future. While you may need to pound the bullies on the board with fear, spread optimism, vision, and hope elsewhere.  Optimism is attractive.

While I cannot fault anybody for giving up when things feel hopeless, you must take something from each experience that helps you in the future.  You might not make a difference in every place you work, but every place you work, can make a difference for you.

However, I would urge all CISOs to hang in there.  With persistence and perseverance, you can make a difference.  Lastly, make sure you mentor and train others along the way.  Leave your employer in a better place then when you got there.  The people you mentor will support you.

The post What Is Wrong with the CISO? appeared first on Zenaciti.