The rise of the token CISO

Ian Hill, Global Director of Cyber Security, Royal BAM Group, shares a disturbing recent experience with a fellow professional, and argues that some CISOs don't truly understand the nature of their role

I've had the honour of being invited as an expert panellist to several industry events recently, on a variety of important topics relating to cyber and information security. However, at one of these I had a rather odd experience just prior to the panel going live, which got me thinking.

It was a virtual panel, with a moderator, producer and four panellists. The fourth panellist was late, and finally arrived after being chased by the producer. However, what happened next was wholly bizarre.

The late arrival looked at their screen and exclaimed, "I don't know two of these panellists!" The producer attempted to explain, but before they could finish, was cut short with, "I don't feel comfortable with this, I'm bugging out". So, the CISO of a very large multinational organisation (who will remain nameless) pulled out just before go-live because they didn't know two of the other panellists, who were in fact highly experienced and qualified in information & cyber security.

I was disappointed to witness such an arrogant and disrespectful outburst from a high-profile peer, which is not befitting our profession and the subject that the rest of us work so hard to advocate. For my part, I didn't know the other two panellists either, but I was honoured to be able to collaborate with them, to debate a very important topic through the sharing of our knowledge and experience - and that's the point.

These are dark times, where ego and over-inflated self-importance can cloud judgement and detract from openness and dialogue, when really a CISO needs to be an ambassador, an evangelist, a thought leader, collaborator and inspiring motivator.

It's not the first time I've encountered this sort of behaviour from a senior security professional, and more often than not it is those individuals who have somehow fallen into the role and don't understand or appreciate that responsibility. The role of CISO has changed over time and now covers a broader spectrum of disciplines, typically including:

• Security Operations
• Cyber Risk & Cyber Intelligence
• Data Loss & Fraud Prevention
• Security Architecture
• Governance

The CISO needs strong leadership skills but more vitally, a solid understanding of information technology and security. They need to be able to communicate the subjects at both a technical and non-technical level, while at the same time having good experience of risk management. They are also expected to have an extensive working experience of IT and security, and hold CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or both, certifications.

Not only that, but there are also now several types of CISO, the generally accepted top 6 being:

• Transformational CISO
• Post-breach CISO
• Tactical/operational expert CISO
• Compliance and risk guru
• Steady-state CISO
• Customer-facing evangelist

All of these roles require a high level of skill and competency, yet we're now seeing more 'Token CISOs'. While many have worked their way up from an IT background, or via governance, risk & compliance, there are those who have simply been assigned the role. As more businesses realise the importance of information security, and with recent focus on supply chain risk leading to more scrutiny over how they protect their information assets, there is pressure to just find someone to fill the role, without completely understanding its importance.

Choosing the right type of CISO is an important decision and mitigates a business risk. Just assigning people to significant roles they have little experience of is risky. You wouldn't promote a middle manager from HR to the role of CFO, because it requires a high level of experience and qualifications in accounting. The same applies to information security.

I remember chatting with a token CISO at a conference a couple of years ago, who claimed that they didn't need any 'bits of paper' to prove they could do the job. That's not really the point. CISSP and CISM are both evidence of competency and knowledge, the same as ACCA and CIMA are to accounting. A quick scan of LinkedIn will reveal an increasing number of companies who have assigned a new CISO or Head of Information Security from internal staff who have little or no experience in security, sometimes not even IT or risk. In today's connected age, the role of the CISO is as important as CFO or CTO, and while there is often debate over who they should report to - typically the CIO - the general consensus is that the CISO should be no more than one level removed from the Board (or CEO).

The role of the CISO is continually evolving as the business world adapts to an ever-changing and more menacing threat landscape. For larger businesses the role of CISO is now a must, the choice of which is an important decision and not one to simply to placate customer or compliance requirements.

Don't miss Day 2 of Computing's Cyber Security Festival on 23rd June - register now!