The Sacrificial CISO heralds a new age for cybersecurity

Will we see a rise in companies that throw their CISO to the wolves?

Tom Allen
clock • 2 min read
The Sacrificial CISO heralds a new age for cybersecurity

There are many different types of CISO, with many different backgrounds and reporting in to many different business lines. One thing they have in common is their wide, strategic view they of the business - or at least, it should be.

That's not always the case, said Ian Hill, Director of Information & Cybersecurity at Upp, in his keynote speech at this week's Cybersecurity Festival.

"Having someone at the top who doesn't get lost in the weeds and has a more strategic view is really important," he told the audience. "But sometimes you get people put into the role just so they can fill the title."

Hill calls these people ‘Token CISOs': A leader "assigned to tick a box from a compliance or PR perspective. They are often not senior enough to make strategic decisions or to have visibility of the wider business risk profile."

The Token CISO doesn't, thankfully, represent the majority of security leaders. Hill defined other types: Transformational, Tactical, Compliance Guru and more. These are all important archetypes, but we're also seeing the rise - very limited in scope for now - of one more: the Sacrificial CISO, someone who "carries the can" for a cyber breach.

The most obvious example of the Sacrificial CISO is Uber's Joe Sullivan, who now faces jail time for his role in concealing a 2016 cyber-attack against the ride-hailing firm.

"This shows we're getting to a place where the role of CISO is [personally] accountable and might be why we're seeing an increase in taking on third parties CISOs - as a risk mitigation strategy. It's far easier to blame a consultant for a lapse in judgement than a tenured executive."

Hill urged the audience - who were largely senior security leaders - "to be open and transparent. If you're not, it will come out and you will face the rap."

Changing attack landscape requires change in security

As any IT leader can attest, cyber-attacks are on the rise, with incidents increasing an average of 30% year-on-year. That means we can't continue to rely on traditional approaches like ‘people, process and technology'. Although still relevant, it looks increasingly outdated as attacks rise and teams shrink (or at least, fail to grow).

The modern CISO should instead look at a federated response known as Progressive Cyber, emphasising that cyber-security is not only the domain of the IT department.

"Make it everyone's problem," said Hill, "and outsource the hard bits."

Finally, he advised everyone to keep the following in mind when asking for increased budget - especially in this time of economic uncertainty:

"The CISO's role is to bring value by protecting value. Often when a CISO is asking for budget, business leaders will ask what value it will bring to the business - but it's not there to bring value, it's there to protect it."

You may also like
IT Essentials: Sun, stress and security


Burnout is the scourge of UK cyber - don't let it ruin your holidays

clock 20 May 2024 • 3 min read
"You have to tell a story that people want to listen to," says Davies CISO


Trying to scare budget out of a board doesn't work

clock 14 May 2024 • 5 min read
IT Essentials: Curtain call for irresponsible cyber


With great pay comes great responsibility

clock 13 May 2024 • 2 min read
Most read

Arm tries to block Copilot+ PC lauch

18 June 2024 • 2 min read

Cyber gang shifts focus to SaaS apps

18 June 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Cyber gang shifts focus to SaaS apps

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read
Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

A relatively quiet month

John Leonard
clock 12 June 2024 • 2 min read
Cloud encryption rates are disastrously low, research

Cloud encryption rates are disastrously low, research

Come on in, the door's open

John Leonard
clock 05 June 2024 • 2 min read