Page 133 - Cyber Defense eMagazine April 2023
P. 133
was many years and hacks later that first the government, and then the financial services industry, and
then others adopted this role.
So, have these top executives taken responsibility, and has the CISO role mitigated risk? I argue that
they largely have not, but it is crucial to understand why. Without full leadership awareness of the threats,
risks, and potential consequences of attacks, IT teams are not able to obtain the buy in and budget
necessary to fully understand their risk estate and mitigate it. And ultimately, as we will discuss, CISOs
and IT are still largely on the front lines of accountability and blame today. Yet, sadly, they are unable to
affect the security outcome without support from the top and resources from external parties. Our aim is
not to disparage CISOs or IT; but rather, argue that given the current structure, support, and focus of the
CIO role and IT department, they are set up to achieve suboptimal results and all the blame when things
go south.
Why the CISO Model Still Fails to Address Cyber Risk
When companies scrambled to appoint CISOs en masse around 10-15 years ago, some brought in new
blood—the most experienced security and compliance leaders appropriate for their needs. Others,
particularly in the mid-sized business ranks, simply reorganized, elevating current senior IT staff to the
title. In either case, it accomplished a few things that moved the actual end goal of security even farther
away (and this dynamic continues today).
First, it provided a buffer and deferment layer between the CEO/board and the ranks of IT struggling daily
with too much risk, too little staff, and insufficient budget allocation to secure the business. I don’t
necessarily blame boards and CEOs for this; security is hard. Most executives don’t understand it; it’s
considered a highly technical cost center that presents a complex problem with thousands of moving
parts you can’t ever fully solve. Senior leaders have many conflicting priorities, all of which are screaming
for budget and requiring solutions. While some are very technically knowledgeable, most aren’t, and
finding one person to shoulder the load is an obvious (though inadequate) solution.
Unfortunately, executives can never fully pass off this responsibility because data is far too central to the
organization’s ability to function. Because top leadership, boards, and even private equity firms make
critical budget allocation decisions, they must be made to understand the vulnerabilities, potential
solutions, and the real-world results of failure to act (in a language they can understand). Then, they must
own the decisions on which risks to take based on budgetary allocations. While CISOs have a powerful
title, we see in our daily work they still have less access to the board than they truly need to sway top
leadership. They need a voice—and they need the right information to make top leadership truly
understand what is at stake.
Second, in our experience, most (but not all) CISO’s are quite focused on aligning their security programs
against compulsory and recommended compliance frameworks like NIST, CIS, HIPAA, FedRAMP, and
the like. These frameworks don’t focus enough on ensuring the underlying security controls and
technology are configured and orchestrated in a manner to prevent a breach. They are also static: they
don’t iterate in real time with the very fast-changing threat actor tactics or rapidly shifting organizational
threat surface. In other words, CISOs and IT teams often don’t know what they don’t know—where the
133
