The CISO is a precarious job. Research studies indicate that CISOs typically survive just 18 months to two years in a job which is increasingly complex and multi-skilled.
After all, information security is no longer solely about managing firewalls and patch management, but rather a varied role encompassing business and technical skills. Add into that continual issues around funding, reporting lines, governance and a lack of support from the board and you can see why the role is not to be taken lightly.
Indeed, Deloitte says that the CISO today must have four ‘faces’; the strategist, the adviser, the guardian (protecting business assets by understanding the threat landscape and maintaining security programs) and the technologist.
The consultancy found that CISOs on average spend 77 percent of their time as “technologists” and “guardians” on technical aspects of their positions, although they would like to reduce this to 35 percent – a sign of the times perhaps.
Gary Hayslip, CISO of the city of San Diego, detailed on LinkedIn just how varied the role now is.
“The position as CISO is not for the faint of heart, it requires knowledge of disparate security technologies, risk management frameworks, as well as network and security architectures,” he said, adding that an understanding of federal and state law, as well as compliance and in developing security strategies, is also required.
Forcepoint Deputy CISO Neil Thacker told CSO that the five main challenges for today’s CISOs are managing risk, communicating with major stakeholders, managing security operations, ensuring data protection and guarding against the insider threat.
“Many of these challenges can be overcome by working with the organization and not for the organization.
“CISOs need to find the right balance of when and where they can delegate responsibility or when they need to manage this responsibility directly. As the size of the organization increases, the responsibilities must be shared and each department will need to own more of the organization risk and communicate regularly with the CISO. The CISO should also ensure each department receives the right education tailored for their needs and ensure risk and security metrics are shared pervasively across the organization.
Matt Palmer, CISO at insurance broker Willis Towers Watson, says that often the biggest challenge is for security heads to look at how they can improve security operations.
“The top challenge is often overlooked - it’s the ability to look forward,” he said.
“Most of the time in a large organization you will be spending your time with issues that are either historical or immediate, they require operational or tactical decisions rather than strategic. Yet, the world is changing so fast that you have to be ruthlessly strategic. When you try to do so, visibility is limited and the future often foggy. Finding that clarity and aligning strategic and operational priorities in the best interest of all stakeholders is the challenge we face.”
Sign up for Computerworld eNewsletters.