In both the public and private sectors, there is considerable emphasis placed on the value of leadership. A lot of time and energy is spent on defining it, improving it, quantifying it, and ensuring we have it in all the right places. Yet, little is often said of the importance of radically redefining leadership in times of great change. As Reed Hastings, cofounder and CEO of Netflix, points out, we should not “…be afraid to change the model.” If you want to be a leader, you must be willing to question everything and drive change when warranted. To say cyber security is in a state of considerable flux would be a gross understatement of fact. While those us in cyber security are not surprised by this, recent incidents like SolarWinds, the Colonial Pipeline attack, Print Nightmare, and others have made it frontpage news for everyone. If ever there was a time to radically redefine the nature of cyber security leadership, it is now and it extends across both the public and private sectors. In fact, it has to.
The chief information security officer (CISO) is the executive directly responsible for cyber security. This is true of the federal government and increasingly so for the private sector. The CISO reports to the chief information officer (CIO). Some have suggested that this reporting structure is fundamentally flawed, citing the real possibility of a conflict between the two officers over IT resources needed to meet mission goaling becoming prioritized over those needed to secure the enterprise. Under the current structure, CIOs and CISOs are expected to iron out these discrepancies by striking a balance between the risks and the mitigations necessary to abate those risks. This dynamic exemplifies a critical requirement for security programs in the past and still today, namely the importance of collaborative leadership. In a perfect world, all the options are put on the table and assessed, a decision is made, and the organization moves forward. However, for most organizations, the CIO holds all the cards and can decide to accept the risk or simply ignore it, regardless of consequences. Unfortunately, there are too many cases in which this has happened. In a world where the threat landscape is evolving at the scale and speed of cloud technology, we can no longer depend on a CIO/CISO model created in the early years of the internet when “hacking” was more a movie pilot than a concern of C-Suite.
I have always seen security as an enabler of mission, not a detractor
I have always seen security as an enabler of mission, not a detractor. Under such a notion, the CISO is more accountable to the business side of an organization and less so to the IT department head. A collaborative CIO/ CISO relationship is still critical but no longer sufficient. Cyber in today’s world has evolved to the point that the security posture of a business is as much its brand as any product or service the business produces. CISOs, then, are no longer just “information security specialists.” We need to redefine the future of cyber security leadership. This new definition needs to encompass, and be applicable to, more than just the public sector. Indeed, as current technology trends suggest and the most recent supply chain attacks demonstrate, any success in cyber security will evolve from an ongoing, dynamic, and clearly understood partnership between the public and private sectors.
With the above in mind, here are some of critical areas that warrant consideration when defining the role of the Next Generation CISO:
1. The CIO/CISO partnership needs to be maintained. In redefining CISO, we cannot devolve the role into that of an auditor of CIO activities. Although the CISO should have a seat at the boardroom table independent of the CIO, we cannot neglect that CISO day-to-day work involves IT. In other words, there will always be crossover between CIO and CISO organizations. We need to ensure that we do not engineer conflict by design.
2. The CISO role needs to be operationalized. Too often, CISO offices, especially in the public sector, are seen as policy and paperwork shops. In redefining the role, we need to ensure we include proactive security responsibilities, such as red and blue teaming, incident response, and cyber resilience. Security is more than a checkbox on a form, and we should say as much.
3. Ensure CISOs are accountable to leadership. Industry has figured this out already by making their cyber lead reportable to either the board or a board member. The public sector needs to follow suit. Senior leadership should be on first-name basis with their CISO, and CISOs should not be hampered by chains of command when it comes to discussing cyber security risks with decision makers.
4. Make security everyone’s responsible. This means adding cyber security requirements to leadership performance plans at all levels and giving the CISO approval authority over those additions to ensure alignment with cyber goals and priorities. Accountability starts with executive leadership.
5. Next Generation CISO responsibilities need to be codified in law and policy. We need to define CISO areas of responsibility (AOR) that ensure a clear understanding of cyber authority and that have applicability and meaning between the private and public sectors. However, AORs cannot be static administrative markers because such constructs tend to lose meaning and value over time. Rather, the Next Generation CISOs should be practitioners of agile security concepts and principles, needing to remain flexible and responsive to changes in the threat landscape as well as shifts in technology. Given this, the role needs to be defined while remaining adaptable to change.
John F. Kennedy said, “Change is the law of life and those who look only to the past or present are certain to miss the future.” President Kennedy’s warning is certainly applicable here. Now is the time for transformative change before the cyber industry is forced to do so under more direr circumstances—another SolarWinds or Log4j incident. Creating a Next Generation of cyber security leaders that bridges the gap between public and private sectors benefits all.
