{"id":22473,"date":"2020-12-01T10:17:18","date_gmt":"2020-12-01T10:17:18","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/ciso-must-first-foremost-leader\/"},"modified":"2023-10-02T13:42:51","modified_gmt":"2023-10-02T13:42:51","slug":"ciso-must-first-foremost-leader","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/ciso-must-first-foremost-leader\/","title":{"rendered":"The CISO Must Be \u2013 First And Foremost \u2013 A Leader"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The key challenges of the transformational CISO are not technological, but managerial.<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their\u00a0tenure<\/a>, the levels of stress they\u2019re under, and the\u00a0burnout<\/a>\u00a0epidemy they\u2019re suffering.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you\u2019d quickly realise that there is a fair amount of creative writing involved in a lot that\u2019s being posted.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

It is easy to write about \u201cthe CISO\u201d thinking this is a fully established C-level role and one of the pillars of corporate governance. In practice, this is far from being the case and the harsh reality is that the role itself is far from mature, in spite of having been in existence \u2013 in some shape or another \u2013 for about two decades.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The job title \u2013 to start with \u2013 is far from universal (and has never been). A large number of variants are in use, and behind those, different role descriptions reflecting the perceptions and priorities of each organisation, which in turn find themselves reflected in the reporting line of the function.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Compounded by the natural differences between industry sectors and the security maturity levels of each company, it creates a myriad of roles, which \u2013 in the end \u2013 can have very little in common.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The actual reality of the role of a \u201cCISO\u201d reporting to a board member in a mining firm, will have very little to do with the role of a \u201cCISO\u201d reporting 2 levels below the CIO in a retail organisation. Even if good practices are the same \u2013 and have been for a long time, and still protect \u2013 putting them in place in each of those situations will have very different meanings.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

So talking about \u201cthe CISO\u201d is often a dangerous shortcut when trying to address the functional or operational aspects of the role.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Where there are commonalities, is around the softer aspects of the role.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

First of all, if an organisation is large enough to frame the role in CISO terms, it is likely the CISO will have a team below them. This is where many articles on the theme often go wrong: They talk about \u201cthe CISO\u201d as if he or she was a one-man (woman) band, directly involved in the delivery of all aspects of their cyber security practice. That\u2019s rarely the case. In most organisations, the CISO is effectively a leader<\/a>, structuring, organising, delegating and orchestrating work across their team and across the firm \u2013 and across the multiple third-parties involved in delivering or supporting the business.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The CISO should also be expected to be able to listen to business leaders across corporate silos, understand their priorities, and adjust security practices to their demands and expectations.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt is simply absurd to pretend that the CISO should have those managerial skills, and \u2013 at the same time \u2013 expect them to constantly put out\u00a0burning fires<\/a>, and be credible all the time and all the way across all technical stacks and across all silos of a large corporate. These unicorn profiles simply\u00a0don\u2019t exist.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What is not absurd is to expect the CISO to structure and lead a team which can be credible on all those fronts \u2013 and firefight, and bring along long-term change. That\u2019s the only way it can work in large firms.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Senior executives also need to understand the complexities involved in leading true security transformation across large corporates, and accept the gaps which may exist at times between knowing what needs to be done to protect the business, saying it should be done and making sure it gets done, for good and across the real breadth and depth of the enterprise.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In bridging those gaps, lie the real challenges of the role of the transformational<\/a> CISO. Those are not technological challenges, but managerial, political and governance challenges.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

To be successful, the transformational CISO needs to be \u2013 first and foremost \u2013 a leader with a good business brain. Not just a firefighting<\/a> technologist.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

To be successful, the transformational CISO needs to be \u2013 first and foremost \u2013 a leader with a good business brain. Not just a firefighting technologist.<\/p>\n","protected":false},"author":529,"featured_media":18033,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[1069,943,462],"ppma_author":[3178],"class_list":["post-22473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-chief-information-security-officer","tag-ciso","tag-cyber-security"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=22473"}],"version-history":[{"count":10,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22473\/revisions"}],"predecessor-version":[{"id":33168,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22473\/revisions\/33168"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/18033"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=22473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=22473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=22473"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=22473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}