Lets face it, being a CISO (Chief Information Security Officer) is no bed of roses. The ultimate responsibility for protecting the organization against a rising tide of hackers and state sponsored cyber spies intent on breaking in and stealing information rests firmly on the CISO’s broad shoulders. Being the CISO in most companies today usually means being starved of resources for additional headcount, tools, and services, while you spend each and every day with your back against a wall! And did I say every day?
Being a CISO is not a nine-to-five job. You also need to keep your wits about you during the dark hours when your boss and most of the Executive Leadership Team (ELT) are out for dinner or sleeping soundly in their beds. The ‘witching hours’ are between 7pm and 7am and at weekends when cyber criminals know all too well that the fort is unmanned and they can usually get away with whatever they want – largely unnoticed!
Photo: Evan Brockett |
A Typical Threat Scenario
7pm in New York and Midnight in London, is breakfast time in Beijing and Shanghai where many of China’s best cyber-spies work. The Peoples’ Republic of China (PRC) has invested in vast campuses of Peoples’ Liberation Army Cyber Units, whose role is to attack foreign organizations and steal not just defense secrets, but also commercial secrets that may help Chinese companies to catch up with and surpass their western counterparts. Despite an agreement between President Xi and President Obama in 2015, the dashboards of western Security Operations Centers stay lit with the Chinese IP addresses of active attackers every day and every night. According to a former FBI Special Agent, “China's corporate cyber-espionage apparatus is too big and too effective to shut down". "The genie is out of the bottle" he concludes.
7pm in New York and Midnight in London, marks 2am in Moscow when club revelers call it a night and return to their flats amongst the sprawling public housing projects. While they have been out clubbing, many of their neighbors have been busy testing the cyber defenses of their latest targets. The Hackers here are more ‘freelancers for hire’ working on occasions for the government, the FSB, GRU, or perhaps for a favor for someone well connected, but just as equally for themselves, paid by the job or paid by results. Entrepreneurial and opportunistic, these are the ‘shadow–dwellers’ who prey upon the weak and unprotected with phishing campaigns, malware, and much, much worse – anything that could generate them income, today, tomorrow, or next month.
The Russians and Chinese are not alone, they are just the largest adversaries by volume on the CISO’s situational threat board. It’s fair to say that in a global economy, the threats don’t just come out at night, it’s just that the attacks seem scarier when everyone else has gone home for the night and its dark outside, and as CISO, you may be standing alone!
Photo: Lionello DelPiccolo |
CISO Responsibilities
The CISO has to be aware of not just the constant attacks against his or her network, or the spear phishing campaigns against users in an attempt to deposit a malware dropper on their network attached computer. It’s a continuum of threats and risks that the CISO and his team have to defend and protect against. And when something goes wrong and some nefarious bot or person gets by the paper defenses? It’s the CISO who takes the fall, and takes responsibility for everything that went wrong leading to the breach – lax controls, inadequate staff for 24 by 7 operations coverage, no budget for user security awareness training, a mish-mash of out of date security products and applications, and the CIO or CFOs decision to select a proposal from a budget implementation vendor rather than the experts who actually knew what they were doing!
Decisions are often made by those above the CISO, safe in the knowledge that they have a ‘fall guy’. No wonder so many CISOs start updating their resumes, the day they start a new job! It’s a thankless job - a very, very stressful job, and if it were paid by the hour rather than salaried, CEOs might just begin to understand the level of effort and expertise required to secure a company from constantly changing cyber threats.
Why You Need an Exceptional Security Leader
Despite the challenges of the job, the role of the CISO attracts some of today's brightest and the best corporate executives - those able to understand, protect and promote the success of the business, and able to negotiate the boardroom and ELT politics, yet at the same time understand the intricate complexities of risk, security, privacy and compliance and the associated technologies used to monitor, measure and protect the business from cyber attack.
It takes a unique and broad set of skills to be a successful CISO, but it also takes a certain kind of person, one that doesn't give up easily and can get back up after being knocked down. Vision, passion, dedication, perseverance and sheer tenacity are key traits that usually come to mind for the job. The role of CISO is changing however, from a deeply technical role implementing tools within IT, to an executive role managing and directly reporting enterprise security risks to the ELT and the Board.
Vision, strategy and the implementation of a holistic enterprise-wide plan to minimize cyber risks and protect the CEO from having to step down following a headline breach is key. Gone are the days of simply promoting the "security guy" to a fancy new title to keep the board of directors happy. What is needed is much more. A proactive holistic approach to security that can be relied upon, rather than a reactive one to plug holes in the dyke. Advanced protection is always cheaper than remediation following a breach. Repairing a damaged reputation takes even more money, time and effort. After all, you cannot "un-ring the bell that has been rung!"
Finding a top quality cybersecurity talent is not easy when there's a 12x demand over supply for security professionals. Attracting a top-notch security leader is almost impossible as SecurityCurrent pointed out in 2015, and the problem is not getting any easier. In fact its getting worse.
Photo: Victoria Heath |
What You Need to Pay to Attract and Retain Top Security Leadership Talent
CEOs are experiencing a tough time attracting and retaining top CISO talent in today's highly competitive landscape. And it should be a CEO concern - not something left to HR. As a CEO your job security depends on the ability of your CISO to protect your reputation and the assets and credibility of the company you're charged with running.
CISO salaries have risen sharply over the past two years and the trend is showing no signs of slowing down. In fact CISOs in the big US cities can make in excess of $350,000 to $420,000 based upon 2016 salary studies by Forbes, Healthcare IT News, and by SecurityCurrent. Its non uncommon for the very best CISO total compensation packages to approach or exceed seven figures today.
CISOs are increasingly being asked to present directly to the board on an ongoing basis, and IDC predicts that by the time you read this article, 75% of Chief Security Officers (CSO), and Chief Information Security Officers (CISOs) will report directly to the CEO, rather than the CIO which used to be the case.
Given the trend towards 'cloud' and 'just about everything-as-a-service', many Chief Information Officer and Chief Technology Officer roles are going away, to be replaced by a corporate Chief Innovation Officer. It may not be long before the Chief Innovation Officer reports to their CISO; and for one simple reason, when you no longer own and operate everything, you are inherently reliant upon your partners to provide secure and resilient services to your customers. The job of validating that, falls on the CISO to ensure that innovative cloud technologies do not introduce unmitigated risk to the business.
With over one million open cybersecurity jobs, and average CISO salaries in sharp ascent, its clear that effective CISO’s are desperately needed and will continue to be a challenge to attract and retain. Despite a recent surge in the availability of undergraduate and post graduate courses in cybersecurity related disciplines, it will be many years before graduates have enough experience to take over a CISO role. Until then, you need to REALLY look after your CISO.
SecurityCurrent Average CISO Salary Report, prnewswire.com |
This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.