Yet he adds that there are other pertinent issues, from educating, informing and managing expectations of senior stakeholders to improving security processes.
“As a CISO you need to find ways to rationalize and simplify what you are trying to deliver, and make sure the team stays on message.”
What makes a successful CISO?
How can you be successful in a post where security incidents and management feuds can result in losing your job? Thacker believes it’s all about integrating yourself in the business.
“A successful CISO is the person who is approachable and can help make educated decisions before, during and post incident. They will have a good knowledge of the organization and understand the inner workings from business process through to data processing whilst utilizing their knowledge and intel from the threat and risk landscapes to position their team to be most effective when an incident arises.”
Palmer, however, believes that you should never believe yourself to be successful.
“I have yet to meet any CISO who thinks they have been successful, we are all too aware of the scale of the challenge and that the job is never done. If you are one step ahead today, you are one step behind tomorrow.”
Nonetheless, he adds that “you are part of the way there” if you understand the defined objectives of the business, improve controls “faster than the bad guys”, improve the security team while maintaining stakeholder support.
Dealing with management
One question that continues to abound, even now, is how CISOs work with senior management. In my recent piece, it was suggested that sacked CISOs often fall down on articulating the security problems – and solutions – to senior management. And experts say that board understanding and security budgets are invariably linked.
“Boards and non-execs today often set a high standard, but very few have security expertise or seek external advice to challenge their internal security team effectively,” says Palmer, adding CISOs should always look to use their budget wisely, and utilize existing technology resources where possible.
“A CISO rarely has adequate resources or budget to deal with the challenges therefore their strategy is critical to ensure they maximize the available resource,” said Thacker. “The identification of the most critical assets of the organization should be performed regularly and resources assigned to protect these assets.
“Most management teams will see value in meaningful measurements using a risk-based approach. Support or trust comes with an open and honest discussion whilst explaining the impact to the organization if the risks are not mitigated to an acceptable level.
If the worst happens, you’ll bounce back
As we explored recently, sacked CISOs are surprisingly hard to hear of, with most let go on “agreeable” terms in order to protect the public image of the company.