A well-paid, but heavy responsibility with a built-in ejector seat is one way of looking at the Chief Information Security Officer (CISO) position.
Data breaches can happen rapidly with devastating consequences and little or no possibility to undo the damage. Sales managers can see which way the wind is blowing in terms of sales revenue and financial directors can ask banks for a loan to shore up corporate finances.
However, security compromises may only come to light when your confidential company data is found offered for sale by hackers on the Internet. Naturally, if not always justifiably, the CISO is one of the first to suffer the backlash. In addition, the following career pitfalls await the CISO too.
- Failure to identify or report a bug, whether or not a data breach occurred, can trip the ejector seat.
- Failure to address risk properly, yet in a cost-effective way.
- Divergence from the enterprise’s business strategies.
- Lack of practical solutions to information security challenges (FUD – fear, uncertainty and doubt – tactics are not a substitute).
- Reporting to another manager whose objectives are diametrically opposed to those of an effective information security plan – for example, a CISO reporting to a CIO under pressure to make cost savings throughout the department.
Advice from those who know suggests that the starting point for a successful CISO (where success may be defined as not being fired) is to understand the business and the business priorities of the organisation.
From those premises, the next item on the survival checklist is to know the scope of the CISO’s position, the limits, the dangers, and the opportunities to add value. And a third item is to educate fellow managers and directors about information security, and how they have to contribute to making it happen.
Failure to get this message across can result in everybody assuming information security is somebody else’s problem (yours), leaving you isolated and in a seriously delicate position.