Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Joel Fulton
Joel Fulton
Connect Directly
E-Mail vvv

Why CISOs Need a Security Reality Check

We deserve a seat at the executive table, and we'll be much better at our jobs once we take it.

There is a problem with information security today. I don't mean the skills gap or the issues surrounding data privacy. I don't mean the struggle to keep ahead of the most recent threats and vulnerabilities. I don't even mean the next General Data Protection Regulation. In fact, this problem isn't a new problem; it has always been around.

Those other conversations are vitally important, but I'm referring instead to a pervasive and insidious problem, one as important as any other security challenge the industry currently faces: we security practitioners have either lost our way or, most often, failed to understand what our roles should be in the first place.

Let me explain.

In April, I attended the RSA Conference in San Francisco, where I met with some of the most cutting-edge security innovators in the country. Leaders gathered to share war stories and best practices, as well as demo and test the newest security tools they might take home to their own organizations. But something was missing.

RSA is an exciting conference that celebrates and represents the vibrant security community — attending typically is encouraging for the future. But as much as RSA symbolizes security's best, so too it is part of the problem: flash, swag, and groupthink. In sum, there's an over-reliance on the flavor of the week rather than on sound security best practices.

Not All That Glitters Is Gold
So, why does this focus on the "latest and greatest" security technology exist? In conversations with many other chief information security officers (CISOs), two answers rise to the top: first, the average tenure of a CISO is short. Perfect data on this is hazy, but it has been reported to be as short as 17 months, though there is indication the number is rising. Second, many CISOs still don't think or act as though we've earned the "C" in our titles.

The comparatively short CISO tenure is often rooted in the individual CISOs desire for gain and fear of loss. Most CISOs have very little upward or lateral mobility within an organization. To grow in our careers, improve our salaries, and gain new experiences, it's easier to move to other organizations. Further, a typical CISO must balance between being somewhere too short of a time to take blame ("it was the last person's fault"), long enough to leave an impact (so you can have successes to point to when looking for your next job), and too long (where a security incident actually happens and you take the fall).

As a result, we often choose to set short-term goals with shallow impact and do so with more condensed time frames than other C-level peers; we often seem desperate to show progress but choose methods that prevent it. We are tempted to do the easy things first, and leave the hardest things to the future ... or the next CISO.

All too often, these take the form of the new "shiny" security solution to make ourselves look good before taking the "quit while we are ahead" approach and moving to another organization to reset the scales. It's easy and common to fall into a consumer-mindset trap, buying the latest gadget, knowing full well that if it doesn't actually improve security, at least it looks like the CISO is doing something. It is a harsh truth, but not something I think is unfair. CISOs will frequently nod in agreement when discussing this subject and agree we can do better.

How We Can Change
For many organizations, the CISO role is relatively new, and as such, many organizations remain unsure of how to incorporate the position into the enterprise's operations. At Splunk, I'm fortunate this is not the case, but I've heard time and time again that it is true for many of my peers.

As a result, we CISOs are often left feeling unsure of our place at the table. Rather than being seen as strategic advisers, too many CISOs are seen as the people who just say "no." That's in contrast with other divisions of the organization, such as sales, marketing, and product development; when security is successful, you don't hear about it.

We need to do a better job of proving our ROI to the mission of the enterprise. We need to commit to a disciplined focus on achieving excellence in the fundamentals and delivering on the hard tasks, even if they are slow to accomplish and don't lead to stage presentations. We need to do a better job understanding why and in what ways security is a critical standard business practice equal in importance and function to every other operational area of an enterprise then displaying we believe it through our actions.

Today, security is swarmed by new applications and tools that promise to make security operations easier and organizations more secure. From automation to artificial intelligence, we're in a golden age of security innovation. It's easy to get swept up in the excitement, but we are moving past the era where security needs to be flashy. Instead, let's be a little more introspective and a lot more disciplined.

My charge to all CISOs and aspiring CISOs out there: spend some time reflecting on your own security practices. Know that security is no longer seen as a sunk cost to enterprises but as a core part of business. We do deserve a seat at the table, and we'll be much better at our jobs once we take it.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are — and why they might be targeting your enterprise. Click for more information.

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/14/2018 | 12:57:43 PM
The CEO of this ongoing train wreck showed the true attitude of C-Suite to security pro issues when he testified that only one (1) IT drone unit as responsible for the hell at this firm --- by failing to apply a patch.  Wow!  Total ignorance of complex issues if their entire security protocol rests on one chap.  Incredible and from what i hear, many American firms are equally blind.  So we do NOT GET RESPECT and probably never will.  We should have such a seat --- but don't hold your breath. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.