Nobody is perfect, but CISO’s have a much smaller margin of error than the average company employee. While most jobs have competitors waiting to pounce on slip ups as opportunities, CISO’s have adversaries ready to exploit any issues and potentially cause billions of dollars in damages.
This is likely one of the key reasons that the role of the CISO is one of the most stressful positions in the workforce today with roughly 88% of CISO’s reporting that they feel “moderately or severely stressed.” (CISO Stress Report)
Aligning Strategies to Their Solely to Their Own Knowledge
The role of the CISO is to be dynamic, fit into every aspect of the business and provide guidance on how to limit risk to external threats. Unfortunately, there isn’t a clearcut playbook on how this should be done as each organization has unique challenges and political landscapes. This is where CISO’s often make their biggest mistakes. Rather than developing strategies that are right-sized and fit to their business, they attempt to bring in, “what they know works” into a landscape where it wouldn’t or couldn’t work.
This can be comically visible in businesses that have a tiny technology footprint and a massive Security Operations Center or in organizations that are free form and innovative, while the CISO is attempting to implement militaristic security controls. Where it is most notable however is in organizations where the CISO seems to have an adversarial relationship with multiple parties within the organization. In any regard what this shows is a CISO that is out of sync with their organization.
As a consultant guiding these CISO’s it can be a very rough ride. These CISO’s may be hiring consultants for ill advised engagements in lieu of necessary engagements to manage their businesses risk and right-size their security capability. In these situations it is best to recognize that consultants function as guides to their clients. Guidance simply means providing information to help clients, the choices they make have to be their own. As such, in these situations it is often best to rely on, (what should be) amongst consultants principles, providing clear, objective information.
Being Everyone’s Bestfriend
Most do not enjoy being an authoritative force within an organization. Some certainly do, but on average it isn’t for most people. As such, it is pretty common to come across CISO’s who seem as though they are everyone’s best friend within their organization. What’s wrong with that? Nothing. Politically, it is actually the best place to be. Right up until they are on the receiving end of an assessment showing that their organization is operating at a high-level of risk and it’s time for them to make some noise.
This is not a fun place to be as a consultant. The typical response begins with pushback. Statements like, “I understand why this would be a good security practice for an <insert industry sector or vertical non-applicable to the clients environment here> company, but I don’t think that applies here.” If a consultant pushes too hard in this situation, the conversation could devolve into, the client attempting to discredit a consultants work or the individual consultants knowledge or capability.
None of these responses lead to additional work for a consultant, which is the last place they want to be. In these situations, consultants have to make some tough decisions. First, they have to determine if they’re wrong. This can be the most difficult task as it requires consultants to see past their own bias. Second, it is imperative the consultants trust in their expertise and provide an accurate report.
Unfortunately, this may not be the best business decision, however, it is important to remember what security consultants do, and ultimately a falsified report that bites a company in the rear is far worst for business than a client that refuses to work with a firm because they provide accurate work.