The Sacrificial CISO heralds a new age for cybersecurity

Will we see a rise in companies that throw their CISO to the wolves?

Tom Allen
clock • 2 min read
The Sacrificial CISO heralds a new age for cybersecurity

There are many different types of CISO, with many different backgrounds and reporting in to many different business lines. One thing they have in common is their wide, strategic view they of the business - or at least, it should be.

That's not always the case, said Ian Hill, Director of Information & Cybersecurity at Upp, in his keynote speech at this week's Cybersecurity Festival.

"Having someone at the top who doesn't get lost in the weeds and has a more strategic view is really important," he told the audience. "But sometimes you get people put into the role just so they can fill the title."

Hill calls these people ‘Token CISOs': A leader "assigned to tick a box from a compliance or PR perspective. They are often not senior enough to make strategic decisions or to have visibility of the wider business risk profile."

The Token CISO doesn't, thankfully, represent the majority of security leaders. Hill defined other types: Transformational, Tactical, Compliance Guru and more. These are all important archetypes, but we're also seeing the rise - very limited in scope for now - of one more: the Sacrificial CISO, someone who "carries the can" for a cyber breach.

The most obvious example of the Sacrificial CISO is Uber's Joe Sullivan, who now faces jail time for his role in concealing a 2016 cyber-attack against the ride-hailing firm.

"This shows we're getting to a place where the role of CISO is [personally] accountable and might be why we're seeing an increase in taking on third parties CISOs - as a risk mitigation strategy. It's far easier to blame a consultant for a lapse in judgement than a tenured executive."

Hill urged the audience - who were largely senior security leaders - "to be open and transparent. If you're not, it will come out and you will face the rap."

Changing attack landscape requires change in security

As any IT leader can attest, cyber-attacks are on the rise, with incidents increasing an average of 30% year-on-year. That means we can't continue to rely on traditional approaches like ‘people, process and technology'. Although still relevant, it looks increasingly outdated as attacks rise and teams shrink (or at least, fail to grow).

The modern CISO should instead look at a federated response known as Progressive Cyber, emphasising that cyber-security is not only the domain of the IT department.

"Make it everyone's problem," said Hill, "and outsource the hard bits."

Finally, he advised everyone to keep the following in mind when asking for increased budget - especially in this time of economic uncertainty:

"The CISO's role is to bring value by protecting value. Often when a CISO is asking for budget, business leaders will ask what value it will bring to the business - but it's not there to bring value, it's there to protect it."

You may also like
Interview: The role of curiosity in security leadership

Strategy

How it helped one CISO shape his security strategy

clock 11 January 2024 • 5 min read
CISO salary growth slowing - and they're expected to seek change

Corporate

Tech-oriented CISOs tend to earn more than those focused on compliance

clock 12 October 2023 • 2 min read
Teens on trial for hacking Uber, Rockstar and others

Hacking

They are also alleged to have links with Lapsus$ gang

clock 13 July 2023 • 3 min read
Most read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Bank of America admits data breach after supply chain hack

Bank of America admits data breach after supply chain hack

Customer info exposed

Tom Allen
clock 13 February 2024 • 2 min read
Breach exposes personal info in 'world's biggest casino' app

Breach exposes personal info in 'world's biggest casino' app

Casino owner tries to claim data was 'publicly accessible' on purpose

Vikki Davies
clock 12 February 2024 • 2 min read
 Klaxon: Security Excellence Awards deadline for entries is this Friday!

Klaxon: Security Excellence Awards deadline for entries is this Friday!

Time is running out to enter

clock 31 January 2024 • 1 min read