It's really simple from an organisational politics perspective. Some CIOs will hire a CISO, who may know that they probably won't get the funding or resources to run an effective security function, but let's give them the benefit of the doubt. So a CIO buys themselves an insurance policy by promising resources and funding, so a CISO comes on board and is thwarted at every twist and turn. Commitments to fund programmes are only partly met, co-operation isn't as forthcoming as they's wish. And at some point there will be a breach, because there is always is. Maybe it's someone dropping confidential paperwork in the street, someone attaching the wrong file to an email or an administrators incorrectly permissioning a resource. In response the CISO is let go, because accidents don't happen, it's always someone's fault and blame must be apportioned and blood let.
In response the CISO is let go, because accidents don't happen, it's always someone's fault and blame must be apportioned and blood let.
I'm still looking for answers why the CISO has to be the sacrificial lamb when a lot of security is not under their control. Shouldn't we be holding operations people and their managers responsible?
Here's an article that discusses the plight of today's modern day CISO: "Is the CISO a second-class executive?" Are CISOs the victim of a business that “doesn’t get it”? Or is the business a victim of CISOs that “don’t bring it”? The crux of this problem is the perceived value return of security under the leadership of the CISO. Two key points really undermine the CISOs perception:
@AppDefects This makes me thing of a few different things. If you take a person who was raised in a toxic family when they grow up all the know is what toxic looks like and the have no idea what health looks like, and I think the same rings true here. If a company has had bad habit and no understanding of the how and why security is needed it will take a lot to have them understand how it should really be and why it is better that way. This also made me think how often IT in general was seen just a black hole of a money pit with no direct return. Some companies developed charge back systems to pass the cost back to the associated departments and this made IT into a profit center instead of a black hole. With more moving to cloud platforms it is even easier to associate charges directly to departments. Security in general to me is a bit like car insurance, those who understand the value get good coverage, and those who don't get only what is required by law, but when misfortune happen one is left reassured and interacted and the other is taking the bus!
The has to be shown that security goes much further than just keep data out of the hands of those who should not have it and how it effects image, reputation, trust, and so much more. It is these intangible items that will defiantly have a major impact on the bottom line, sales, and every other aspect of the business. They just need a little help to understand this. And of course like insurance, if things always go right and you never need it you wonder if you really needed that level of coverage, but it just takes one issue to make you thankful you have it!
If you compare if to medical malpractice, doctors don't get fired because patient are ill, it's about what they do or don't do to treat to illness. It's possible to understand if the CISO presides over a poor response to an incident i.e. fails to respond in a timely manner or is responsible for providing inaccurate media statements. But organisations that keep firing CISOs for the illness i.e. the fact that there are attackers out there, don't seem to be a sustainable way forward.