CSO, don't allow yourself to get hung up on the "C" in your title. Instead, view yourself as an operator, a general manager that must balance cost, opportunity and risk everyday on behalf of thousands of stakeholders. 

According to George V. Hulme in a recent CIO.com article entitled "The CSOs Failure to Lead":

"Talk to any information security professional over the past decade about a number of their greatest perceived challenges when it comes to doing their job. More often than not you'll hear about how their organization's business leadership didn't provide them the support and space they need to secure their organizations properly. One way you'll hear this is when it comes to the lack of budget. Another way you'll often hear this expressed, is as security "doesn't get a seat at the table."

The Chief Information Security Officer (CISO) sees risks but often cannot get the attention of decision makers to address the risk. This obviously generates frustration on the part of the CISO and can lead to an escalation in the tenor of the warnings or worse, repeating the exact same messaging louder and more often. Too many security professionals believe the very existence of a risk is reason for action. 

Full time risk managers

Our observation is that security professionals view themselves uniquely as risk managers and do not appreciate that their entire company is in the business of risk management all the time. The CIO and business general managers are making decisions to manage risk every single day. It is their fulltime job. To them, security risks are analogous to many other risks they manage, some they will mitigate today and some they will put off until tomorrow. 

Every steward of risk in the company cannot have a “seat at the table.” Is the CISO managing more risk than a plant manager? Is the CISO managing more risk than a regional sales leader? Is the CISO managing more risk than the IT infrastructure team or the application management team? 

Risks abound in companies, some are life or death, some are criminal, some are existentially financial. The people “at the table” have the responsibility to manage these risks and only bring those to the table that require the other members of the table to know about or work through. 

Maybe the misperception stems from the title. The word Chief has certain implications on the level of authority one has and, in most cases, there is not a lot of authority in the CISO role. The word “general manager” is more applicable. The Security General Manager (SGM) needs to be a manager of risk and a builder of consensus. 

Keys to success for SGMs

Understand What Your Organization Values - Like all general managers of complexity, the SGM must immerse themselves in the business and understand the tradeoffs that have resulted in the current situation. More times than not, the tradeoff is highly educational. It represents the values of the organization, some of which will never change and need to be accepted. These values are often codified as guiding principles.

Adopt a Security Risk Categorization Framework – The organization does not understand security risk like the SGM. The SGM needs to create a framework and vocabulary for describing risks, likelihood and impact. The more applicable this is to other risks in the organization, the easier it will be for people to adopt.

Socialize a Security Architecture and Roadmap – The reality is that the SGM is right about the risks.  This is their job and it is mostly based on known threats that are actively happening to other organizations. But, being right is no excuse for not creating an architecture and roadmap for the organization. The SGM is pretty certain that security software will be bought as soon as a threat materializes, but those buying decisions are costly and sometimes suboptimal. 
The SGM cannot rest on the certainty that materialized threats will result in remediations to processes and purchases of technology. They owe it to the organization to lay out the entire architecture and facilitate good decision making in the face of urgent risk mitigation. This is what all the other general managers in the company do ... at least the ones that keep their jobs.

Do Your Boss’s Work for Them – Find out what risks the boss elevates and why. Then find out what form that information takes and what level of diligence must support it. Now communicate to the boss in the way the boss must communicate up. Make it easy for the boss to understand the risk by putting it in their terms the way they need it.

Earn References From the Business –  The SGM must get out of the office and make a difference. The SGM needs to be part of the solution. Meet with legal, HR, sales, manufacturing, R&D and other groups so that they know what the SGM can do for them.

Work every day to inspire someone outside of IT
to call the boss and thank them for hiring such a proficient and helpful security manager. The SGM needs to be like a great tax accountant, not responding with yes or no, but responding with how and why. The business accepts risks every day, the SGM should equip the CIO and business to be general managers of their areas by serving and educating. 

CSO, don't allow yourself to get hung up on the "C" in your title. Instead, view yourself as an operator, a general manager that must balance cost, opportunity and risk everyday on behalf of thousands of stakeholders.  And, get busy equipping the large and small general managers in your company to manage risk better because of your service and influence... whether you ever get that coveted "seat at the table" or not.

Michael Lee is the Managing Director of Quality Deployment. He can be reached at insights@qdbve.com.

The Best Kept Secret for IT Professionals.

Learn how we keep you more informed than your competition in half the time.

arrow

No Comments

Add a comment