The Sacrificial CISO heralds a new age for cybersecurity

Will we see a rise in companies that throw their CISO to the wolves?

Tom Allen
clock • 2 min read
The Sacrificial CISO heralds a new age for cybersecurity

There are many different types of CISO, with many different backgrounds and reporting in to many different business lines. One thing they have in common is their wide, strategic view they of the business - or at least, it should be.

That's not always the case, said Ian Hill, Director of Information & Cybersecurity at Upp, in his keynote speech at this week's Cybersecurity Festival.

"Having someone at the top who doesn't get lost in the weeds and has a more strategic view is really important," he told the audience. "But sometimes you get people put into the role just so they can fill the title."

Hill calls these people ‘Token CISOs': A leader "assigned to tick a box from a compliance or PR perspective. They are often not senior enough to make strategic decisions or to have visibility of the wider business risk profile."

The Token CISO doesn't, thankfully, represent the majority of security leaders. Hill defined other types: Transformational, Tactical, Compliance Guru and more. These are all important archetypes, but we're also seeing the rise - very limited in scope for now - of one more: the Sacrificial CISO, someone who "carries the can" for a cyber breach.

The most obvious example of the Sacrificial CISO is Uber's Joe Sullivan, who now faces jail time for his role in concealing a 2016 cyber-attack against the ride-hailing firm.

"This shows we're getting to a place where the role of CISO is [personally] accountable and might be why we're seeing an increase in taking on third parties CISOs - as a risk mitigation strategy. It's far easier to blame a consultant for a lapse in judgement than a tenured executive."

Hill urged the audience - who were largely senior security leaders - "to be open and transparent. If you're not, it will come out and you will face the rap."

Changing attack landscape requires change in security

As any IT leader can attest, cyber-attacks are on the rise, with incidents increasing an average of 30% year-on-year. That means we can't continue to rely on traditional approaches like ‘people, process and technology'. Although still relevant, it looks increasingly outdated as attacks rise and teams shrink (or at least, fail to grow).

The modern CISO should instead look at a federated response known as Progressive Cyber, emphasising that cyber-security is not only the domain of the IT department.

"Make it everyone's problem," said Hill, "and outsource the hard bits."

Finally, he advised everyone to keep the following in mind when asking for increased budget - especially in this time of economic uncertainty:

"The CISO's role is to bring value by protecting value. Often when a CISO is asking for budget, business leaders will ask what value it will bring to the business - but it's not there to bring value, it's there to protect it."

You may also like
Checkmarx: 'It's very difficult for CISOs to know how to safely incorporate genAI'

Security Technology

'It’s an unfortunate reality that developers have not traditionally been big fans of security'

clock 26 March 2024 • 5 min read
Interview: The role of curiosity in security leadership

Strategy

How it helped one CISO shape his security strategy

clock 11 January 2024 • 5 min read
CISO salary growth slowing - and they're expected to seek change

Corporate

Tech-oriented CISOs tend to earn more than those focused on compliance

clock 12 October 2023 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

China Crisis: Government blames China for Electoral Commission cyberattack

China Crisis: Government blames China for Electoral Commission cyberattack

Also accuses Chinese state-affiliated actors of trying to hack MPs emails

Penny Horwood
clock 26 March 2024 • 5 min read
A cyber-focused attorney on why 'Data is the hot potato'

A cyber-focused attorney on why 'Data is the hot potato'

Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.

Samara Lynn
clock 26 March 2024 • 3 min read
Asian Tech Roundup: Failure at Fujitsu

Asian Tech Roundup: Failure at Fujitsu

Plus, China cracks knuckles

Tom Allen
clock 22 March 2024 • 2 min read