You and I will get breached – one day – it’s just a question of time. This is what the security community considers as the “assume breach” principle. In order to learn this mantra, we had to go through some pain: hundreds of data breaches throughout the last years and decades of companies of all sizes have demonstrated that it can and potentially will happen to everyone one day. Even worse – this can even happen to companies with strong security teams and budgets available. Strong infosec teams & culture will probably delay the breach but is no guarantee to finally prevent it.
And who is expected to prevent all this from happening: the CISO!
In this article I would like to discuss why firing your security executive (CISO/CSO) in case of a breach is not always the best step you should take. I will bring up some discussion points that raise questions whether problems could reside much deeper in your organization and making pawn sacrifices is rarely resolving the problem completely.
This article has been flying around for some time on my todo-list and it’s far from perfect since discussions could get into much more details – but I hope I’m able to transfer the core points of my opinion.
Let’s assume you and your company have been subject to a data breach so you most probably end up in one of these statistics moving forward. Now you intend to do something about it (
in order to satisfy shareholder pressure) and instead of thinking your actions through before you act, you fire your CISO. It’s a data breach – the reason why you hired this person has been to prevent exactly this situation – the CISO didn’t fulfill your expectations, therefore she needs to go. What I would kindly ask you to do is read this article first, review your intentions and only fire your CISO afterwards if you still think it’s the best choice for your company. I don’t want to push away the responsibilities of CISOs – the intention is more to stimulate other opinions and views on the situation instead of following by default the standard approach: security incident means firing the CISO.
In case of a breach, did you consider holding your IT responsible or the business representative responsible as well?
While firing the information security person seems to be legitimate on the first hand, it could be fundamentally wrong in the end. A CISO is not the single savior of your organization in regards to information security. In contrast, they are expected to connect the loose wires and bring people, entities and even complete departments together in order to do the right thing for the company regarding infosec risks. Back in the old days, “IT Security” was buried somwhere in the IT department since it mainly concerned IT. This situation shifted – infosec concerns way more than solely the IT department, caused by the ongoing digitization of our industry and society. This also means: risks have shifted – away from mainly IT to the senior leadership in the company.
CISOs do not own the risk finally – they solely own the responsibility to manage the corresponding infosec risks, but are not finally accountable for information security. Accountability cannot be delegated. This accountability can only be carried by the business itself, however – it seems to me that this opinion is still hardly shared today. Too often the business does not want to be involved or does not put the right prioritization on infosec relevant actions.
CISOs need to be set up for success – and this is often not given according to my understanding. A huge amount of different and complex circumstances define whether your CISO will be successful with her mission of moving the information security posture of your company to the next level. In case the infosec topic is important for you and you thought you hired the right CISO, but still got breached: Review why your CISO was not successful. Yes – the outcome could be because the CISO was the wrong one and made fundamental mistakes – fair. But it’s also important to search for potential reasons in other corners – how did IT execs support the infosec strategy? Were they supportive? What about other stakeholders? Did the senior leadership in the company understand their role in enabling the infosec strategy? What about the business itself? Risk appetite?
I understand that this is an unpopular opinion which is not shared widely by the business – but it’s worth thinking about this since infosec is a team game. Without the IT and the business, CISOs will hardly be successful.
Are you ready to throw valuable lessons-learnt out of the window?
By firing the CISO after a breach, you disconnect your company from a great possibility to learn from your previous mistakes. You are aware of the saying: “Never miss a great crisis!”? A successful breach is normally a crisis – which you need to use as a learning lesson.
Let’s face it: If you get breached, your company made a mistake – otherwise you wouldn’t get breached. Your company needs to take over the responsibility for it. Somewhere in your risk profile controls have failed due to technical, procedural or human errors. The CISO needs to take over responsibility to fix this situation so she is probably one of the better suited person in your company that knows that went wrong and why. Perhaps she was not able to prevent the breach from happening, but at least knows what to improve in the future and why specific controls failed. There is lot’s of work to do!
Needless to say: CISOs must not run away from the responsibility they have – they are in a driver-seat now in order to clean up the mess and receive the corresponding support from the business / core stakeholders to ensure it does not happen again.
“We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”
Did you set up your CISO for success?
Most of the companies still struggle to fully understand the need for information security by default. While this seems strange to some readers, it’s unfortunately the reality infosec people have to live with day in and day out. So we are living in a world where we need to justify our existence almost daily. Within this environment, you as the CISO are expected to bring the company on course – this sounds complicated.
In case there is no security incident, questions about the budget / headcount come up “Why do we need security? We seem to be doing quite well – we are safe.”. When the breach finally happens: “Why did the CISO not prevent it? This is what she was hired for!”
Infosec is often still treated like a one-time project instead of a never-ending story for a lot of companies – and the CISO is basically the PM who is supposed to take away all the pain. What could possibly go wrong?
In this context it’s also important to mention that CISOs have the responsibility to be able to demonstrate the business value of their actions – if you struggle to do so, there is a chance that your actions are not in alignment with the business needs.
Finally, when we talk about the ability to act successfully as a CISO, we need to talk about the reporting lines. For this topic, there is no aligned consent across the infosec industry. Here is my version of it:
In contrast to ordinary IT folks, infosec people can think in threat models – they can understand and picture the way of potential attackers and then build up controls that break the attack chain. So it is superior that these people get the possibility to step in and speak up if needed – this cannot be done when they report into IT.
Why? Because the concept of “checks and balances” is broken in this case. In a traditional sense, infosec functions are supposed to review and control from a security perspective the stuff that IT builds up. In case the CISO reports into the CIO/CTO, this will never be done properly since the tendency to get a project live is way stronger than getting it live with proper security controls enabled.
Setting a CISO up for success is not trivial: It begins with senior executive support and alignment throughout the entire company, the willingness to drive and execute change, set up the right culture, continues with the right budget and manpower followed by reporting line etc.
Did your CISOs hold too much of your enterprise risk?
Infosec is the little baby of risk management – and risk management requires risk to be properly owned and managed within modern companies. Since infosec is a risk to the business, the ultimate risk ownership lies in the business, not with the CISO. The CISO is the person that got hired by the business to remediate and manage the risks on their behalf. This can only be done through the right committees with access to the right stakeholder groups in order to make risks transparent and get support for managing them properly. The responsibility should be delegated to the CISO – accountability can never be delegated. This does not mean that the CISO now finally owns all the risk and the business can do what they always did. Since digitization touches almost every part of our life, these days are definitely over. Instead, the business needs to understand and support this view – in case they don’t, the CISO will work on improving the risk landscape within the company while the business will continue to circumvent it (e.g. Shadow IT). The business needs to wake up and take over responsibility for the infosec part as well in the 21st century.
Why? Because infosec risks can strongly interrupt the business itself – it’s not longer only a “goodie”, like “yet another technology/IT risk”. During the Corona situation in 2020, the business relied strongly on functional security services such as VPN for enabling working from home etc.
For other risks that became powerful enough to strongly impact the business, the business took over the responsibility already and manages these risks now properly (e.g. regulatory risks). The same needs to happen with infosec as well.
Hiring a CISO is not enough – but by hiring the right person for the CISO position, supporting the CISO as best as they can, enabling her and taking over the accountability for the risks that come up due to business processes is one of the right first steps the business should take. Then, perhaps, risks can get properly addressed and reduced for the ultimate risk owner – the business.
Is your CISO function a one-man army?
Don’t assume that you hire a CISO and then your job is done – this is similar to hiring one soldier and assuming that you can win the war. Infosec is a team game – yes, one CISO within a tech- as well as infosec-aware organization can achieve awesome things by solely connecting the dots and leading stakeholders into the right direction. But be assured that the amount of tech- as well as infosec-aware companies is still extremely low – there is a high chance that yours is not one of those. The more services & maturity you expect from your infosec department, the larger the headcount needs to be. Someone has to actually do the job in the end.
Additionally, also the day of the CISO has 24 hours and the week 7 days. Depending on the local setup, the CISO quickly gets dragged into various topics where their advise is required and their timetable gets filled. The digital transformation does not make this situation easier but exponentially increases the workload of the CISO since nowadays all digital project topics somehow need to be reviewed from an infosec perspective. Who is supposed to do this? Project teams driven by IT or the business normally do not do this on their own – and they shouldn’t – since they don’t have the people with the right background, mindset and skills in their teams. This kind of work should be done by infosec consultants with a corresponding background and mindset reporting into the CISO function. Don’t expect your CISO to be a superman who can handle dozens of project requests on their own and still provide high-quality outcome – you get what you pay for.
Additionally, various huge organizations still fail in regards to operationalizing infosec. Folks – at the end of the day it is not about the technology although this seems to be the easiest answer. At the end of the day it’s about the service that you can offer to your business so that they can manage and understand their risks better. Your C-level hardly cares whether your appliance blinks green in your datacenter – they care whether this appliance enables a service that reduces risks for the company. For this, you need people – people to operate all the fancy cyber stuff you buy for $$ and put into your datacenter and ultimately create a value-add for the organization. (Security) technology without people operating it as a service is useless as the Internet without the human being adding valuable content.
So enterprises need to understand that the infosec costs are not solely about buying technology and integrating it properly into the existing IT landscape. Budget for ongoing operational manpower needs to be considered from the beginning on – otherwise your investment is basically useless and a waste of money. Personally, I don’t believe in self-operating security technology – this is a myth that the security industry tries to tell us. Each time you buy technology or solutions, you need to consider the operationalization of it. I have the impression that especially the last part is not yet very well understood by business and security people alike. And I think that the security community / industry is mainly responsible for this situation since they are communicating an infosec world in which you can achieve security through buying technology. We are not there yet – and will most probably never be there.
“If you know you’re going to be sacrificed, you want a sufficient reason to take the job,” said John Kindervag, a security analyst at the market research firm Forrester. “People aren’t talking about what we’re doing to these poor people. We’re putting all this complexity on their shoulders and then it’s just ‘Good luck!’ ”
The hunt for the right CISO is still a difficult one and this situation will most probably not change over the next years. The huge amount of different skills and qualifications CISOs need to bring along will even increase in the future due to the never-ending advent of new technologies as well as regulations & laws on our journey to a fully digitized society.
So companies need to be vigilant when it comes to hiring the right person for their needs – HR plays a major role in this part of the process and I guess we have a very long journey to go to make sure they understand this importance.
However, companies also need to understand what they want, need and how the end result has to look like from their perspective. They need to be ready to invest into something more than hiring simply a CISO – they need to invest more than money – they need to invest their attention, their culture, their top management buy-in and they finally need to invest into holding people accountable for what they do. This is not limited to infosec people – this needs to include other core stakeholders in your company. Infosec is a business risk that requires teamwork in order to be managed and handled.
So firing the CISO in case of a breach is an option, a legitimate one, but should not be considered as the only rightful one. Infosec is complex and it will get worse due to the increasing technical as well as legal & regulatory complexity – I therefore strongly encourage responsible executives to think twice before going down this path.