05/17/2017
A Prevailing Challenge for New CISOs
We’re living in very exciting times with explosive growth in the information security industry. But sometimes drastic changes don’t come without challenges.
Just like companies do in fast growth situations, there needs to be a time to step back and see if everything else has kept up, and has the organization matured sufficiently and proportionately to where it has arrived? On an individual level, it’s never easy to look in the mirror and be honest with what one sees; even when we notice minor imperfections. What about when we see things that can be career, or success limiting? Even worse, what about when it is right there staring us in the face, and we either can’t or refuse to recognize it.
Over the past two decades there have been several events in time that have propelled junior professionals and others from outside of the profession, into information security leadership roles. One that comes to mind is post 9-11, after markets tumbled and companies went through mass layoffs. At the other side of this event, while markets recovered and companies started to build employee numbers back up again. One role of particular interest was the CISO. Recruiters and HR professionals, responded to the situation in a generic fashion by lowering compensation offers, only to find that while there were a lot of general business and IT professional out of work from the layoffs, the experienced Information Security managers didn’t have the same challenge. Why? Because market demands never caught up and experienced professionals were still in short supply. The next similar event was post 2008 market crash, when markets and hiring professionals repeated past mistakes.
Now let’s fast forward and get back to more recent times. In January 2016, a Forbes magazine article backed by 451 Research looking at market labor statistics, cited 209,000 vacant information security jobs in the United States, where companies were actively seeking to fill them. The article went on to offer that by the end of 2016 labor shortages were projected to grow to 1 million. This was further backed by Symantec’s CEO, who offered that by 2019 the market shortage is expected grow to 1.5 million.
So, you’re probably wondering what happened during the earlier examples. Well, the experienced professional headed South, so to speak, for higher paying consulting roles. The residual effect was that an already depleted security management talent pool was hedging further into a serious drought conditions. The market response was, well, let’s take the best of what is available and make the best of it, at bargain prices. The way they went about this, was to hire junior technical information security professionals, propelling them forward in their career path into information security management and leadership roles.
Probably the most important of all, is through no fault of their own, these individuals who could hold their own in any technical discussion, did not have an opportunity to gracefully mature into management and learn the language of business. At public events that I have spoken at and certification courses I have taught, I continue to hear information security managers tell me metrics they articulate to their company’s leadership might sound something like, “last month we stopped 30,000 viruses at the network’s perimeter.” When asked why, I get the typical response, “management is all about numbers, and these were numbers, right?” I then propose an alternative, suggesting something like “for an investment of $10K last month, we had a cost avoidance of $30M in damage.” The example suggests the company spends $120K per annum on endpoint / perimeter malware protection ($10K is the portion allocated to last month’s when amortizing the cost over 12 months) and the 30,000 viruses when calculated against the volume of nodes protected on their network and industry recognized statistics for cost of impact of malware per node, might translates to $30M worth of damage being what the company avoided.
Expanding on that train of thought further, being able to tie the information security program’s performance metrics together with defined information security program objectives, and ensuring alignment with the organizational business strategy and its associated objectives is another area many are challenged with. This is to say, without clearly understanding how buying 10 new firewalls, or the next new security technology defending against the latest threat vector supports the direction the business is going (strategy), it is impossible for non-information security professional to know why they should support the proposed budget or strategy. Remember, every other leader is constantly positioning investments for their area of the business as well. Investments don’t come out of thin air, they come from the profit pool, period. The translation in a privately held company, is that one is asking the owners to take money out of their wallet to support the proposed strategy. In a publicly traded company, they’re seen as adding cost to each unit or transaction produced by the company, which can influence the share price; the cherished compensation of most senior executives. This dipping into the profit pool, can be the impetus for a drop in share price on the market. So again, in a roundabout way, they’re being asked to take money out of their wallet, even if it is for valid strategic reasons.
So, what happens when one is presenting to the senior executive management team or the Board, and one cannot articulate the message in a manner commensurate to the audience? The audience tunes out, they are not eagerly welcomed back, and strategy and budget proposals are greeted with skepticism, distrust, and typically marginalized. Worse yet, is the message one unintentionally ingrains in the minds of every member of the leadership team, regarding an information security leader’s ability to play an active role as a trusted business advisor.
In the forefront, we have exploding industry growth. In the background, with very little attention paid to it, we have the baby boomers retiring, many of which are at the top of the information security career pyramid today.
In light of the above, circumstances are apparently in line for more fast paced career growth that will propel quite a few forward, yet again. The question is, will they be ready?
To this end, information security professionals need to start coming together across industries and geographic boundaries as one community. If you are one who has already learned information security and management skills, while you could probably learn additional techniques to perfect them, you certainly are well position to help bring the next generation of leader forward by sharing what you know.
“Life is a gift, and it offers us the privilege, opportunity, and responsibility to give something back by becoming more.” ~ Anthony Robbins
“The best way to find yourself is to lose yourself in the service of others.” ~ Mahatma Gandhi
It is for this, among other reasons that I started the Information Security Leadership Forum. If this message resonates with you in any way, please “Like” and “Share” it with others. It won’t cost you anything to do so, and you might be getting an important message to someone that needs it today. And don’t forget to stop by the Information Security Leadership Forum’s website, join and get involved. The community needs good people like you on the team!
The Information Security Leadership Forum website can be found at http://www.informationsecurityleaders.com
* Ask about the Forum's free resources like our ISO 27001 Governance and Audit Template Sets to help accelerate the development of your information security program.
