Why CISOs Need a Security Reality Check We deserve a seat at the executive table, and we'll be much better at our jobs once we take it.
There is a problem with information security today. I don't mean the skills gap or the issues surrounding data privacy. I don't mean the struggle to keep ahead of the most recent threats and vulnerabilities. I don't even mean the next General Data Protection Regulation. In fact, this problem isn't a new problem; it has always been around.
Those other conversations are vitally important, but I'm referring instead to a pervasive and insidious problem, one as important as any other security challenge the industry currently faces: we security practitioners have either lost our way or, most often, failed to understand what our roles should be in the first place.
Let me explain.
In April, I attended the RSA Conference in San Francisco, where I met with some of the most cutting-edge security innovators in the country. Leaders gathered to share war stories and best practices, as well as demo and test the newest security tools they might take home to their own organizations. But something was missing.
RSA is an exciting conference that celebrates and represents the vibrant security community — attending typically is encouraging for the future. But as much as RSA symbolizes security's best, so too it is part of the problem: flash, swag, and groupthink. In sum, there's an over-reliance on the flavor of the week rather than on sound security best practices.
Not All That Glitters Is Gold
So, why does this focus on the "latest and greatest" security technology exist? In conversations with many other chief information security officers (CISOs), two answers rise to the top: first, the average tenure of a CISO is short. Perfect data on this is hazy, but it has been reported to be as short as 17 months, though there is indication the number is rising. Second, many CISOs still don't think or act as though we've earned the "C" in our titles.
The comparatively short CISO tenure is often rooted in the individual CISOs desire for gain and fear of loss. Most CISOs have very little upward or lateral mobility within an organization. To grow in our careers, improve our salaries, and gain new experiences, it's easier to move to other organizations. Further, a typical CISO must balance between being somewhere too short of a time to take blame ("it was the last person's fault"), long enough to leave an impact (so you can have successes to point to when looking for your next job), and too long (where a security incident actually happens and you take the fall).
As a result, we often choose to set short-term goals with shallow impact and do so with more condensed time frames than other C-level peers; we often seem desperate to show progress but choose methods that prevent it. We are tempted to do the easy things first, and leave the hardest things to the future ... or the next CISO.
All too often, these take the form of the new "shiny" security solution to make ourselves look good before taking the "quit while we are ahead" approach and moving to another organization to reset the scales. It's easy and common to fall into a consumer-mindset trap, buying the latest gadget, knowing full well that if it doesn't actually improve security, at least it looks like the CISO is doing something. It is a harsh truth, but not something I think is unfair. CISOs will frequently nod in agreement when discussing this subject and agree we can do better.
How We Can Change
For many organizations, the CISO role is relatively new, and as such, many organizations remain unsure of how to incorporate the position into the enterprise's operations. At Splunk, I'm fortunate this is not the case, but I've heard time and time again that it is true for many of my peers.
As a result, we CISOs are often left feeling unsure of our place at the table. Rather than being seen as strategic advisers, too many CISOs are seen as the people who just say "no." That's in contrast with other divisions of the organization, such as sales, marketing, and product development; when security is successful, you don't hear about it.
We need to do a better job of proving our ROI to the mission of the enterprise. We need to commit to a disciplined focus on achieving excellence in the fundamentals and delivering on the hard tasks, even if they are slow to accomplish and don't lead to stage presentations. We need to do a better job understanding why and in what ways security is a critical standard business practice equal in importance and function to every other operational area of an enterprise then displaying we believe it through our actions.
Today, security is swarmed by new applications and tools that promise to make security operations easier and organizations more secure. From automation to artificial intelligence, we're in a golden age of security innovation. It's easy to get swept up in the excitement, but we are moving past the era where security needs to be flashy. Instead, let's be a little more introspective and a lot more disciplined.
My charge to all CISOs and aspiring CISOs out there: spend some time reflecting on your own security practices. Know that security is no longer seen as a sunk cost to enterprises but as a core part of business. We do deserve a seat at the table, and we'll be much better at our jobs once we take it.
Top industry experts will offer a range of information and insight on who the bad guys are — and why they might be targeting your enterprise. Click for more information.
Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio