How to Hire a CISO
DON'T THROW STONES AT EQUIFAX OR THEIR RETIRED CISO
The question of eligibility surrounding Susan Mauldin, Equifax's recently 'retired' Chief Information Security Officer (CISO), has been raised by those who rightly seek answers to the overarching question hanging over the beleaguered companies leadership team:
'Was this an obviously avoidable breach?'
That those who raise this query are rounded on by all and sundry as misogynistic haters of music majors is a real pity.
STAND BACK AND CONSIDER THE ROLES DIMENSIONS
A pity because the role of the CISO is so implausibly dimensioned as to be impossible for any one individual to fill. So this should be a cause for genuine concern and focus as opposed to a reason to have yet another pop at each other over gender bias. The issue of the roles purpose and remit holds true in small companies let alone one the size of Equifax. So the Equifax breach like those other notorious compromises from Talk Talk, through HMRC to Yahoo and everything in between should be looked at for the lessons they offer for everyone:
- ROLE SPECIFICATION: The CISO is usually a scapegoat for failings beyond their reach. The specification includes a kitchen sink or two.
This role spawned as an afterthought in the late 1990's and its relative immaturity presents a series of traps into which the unwary invariably fall.
- EXPANDING THREATSCAPE: All technology has frailties that any amount of re-engineering struggles to patch – remember that IOT (Internet of Things) and OT (Operational Technology) are tidal waves that IT developers have recently unleashed in the race to connect everything – none of the newly connected devices ever having been designed with such connectivity in mind. So already vulnerable systems just got connected to totally unsecure extensions.
- UN-BALANCED: All information security measures are a balance of RISK vs ECONOMICS and contemporary CxO's remain un-convinced as to the merit of the serious (substantial) investment in balancing the risk preferring to ride the Cyber tiger with everyone else. Pushing the CISO out front when the flaws we all know are there get exploited results in the fast revolving door we are seeing CISO's fall in and out of.
So the point is not whether Susan was up to the job more is any one individual able to own this brief? In my view, having spent years working with hundreds of CISO's around the globe, absolutely not!
HOW DO I SPECIFY THE ROLE OF THE CISO?
The answer we propose is twofold
- RE-ENGINEER. Firstly consider re-engineering the role of the CISO into something that is realistically specified. This is usually tricky because security, particularly for small and medium sized businesses, is not a well-developed function and besides there are precious few executives in the business to pass pieces of the role to.
- BENCHMARK. And / or (at least) use a proven benchmarking tool to prompt senior management to capture the CISO brief for your company relative to what others have appointed (most successfully) then use the view captured to inform the search. Four years of developing a model means that the Ascot Barclay Group have such a model that is now well proven. They call it CISO Finger Printing. The Finger Print captures a view of the CISO against 13 core traits.
The first hundred completed samples were used to tune this model and the reveal helped to define visual benchmarks for the role. Drawing a line down the middle of the chart divided the more technical traits to the left from the more strategic on the right.
Here is what I think Susan Mauldin's CISO Finger Print probably looked like at the point she retired (all of her on-line profiles have been taken down so this is my guess work – albeit informed):
Diagram: Susan Mauldin CISO Finger Print (estimated)
Now that we have this view we can hold it up to the 'idealistic' benchmarks for the role which essentially illustrate what is asked of the CISO.
Diagram: Susan Mauldin vs Finger Print Benchmarks
The three benchmarks are the ideal profiles for:
- GREEN: Strategically biased
- BLUE: Balance of both Strategic and Technical
- YELLOW: Technically biased
The gaps are clear now. Susan was indeed miss-aligned with the role based on this comparison. But the CEO hired her and he isn't a fool (I don't buy that leaders such as this are ignorant or foolish – it simply doesn’t wash).
Picture: Richard F. Smith CEO Equifax
Richard Smith has had to accept his responsability after the fact. Of course he wishes, with the benefit of hindsight, that he had taken more trouble to mitigate the risk by investing more time, effort and cash in better information security. Susan Maudlin, standing by him and looking through that lens, will probably reflect that she too could have fully grasped the security brief delegated to her by ensuring she acknowledged the gaps and simply appointed a team that filled them.
Easy with the benefit of hindsight? Absolutely! So senior management can take this hindisght and get serious about the role of the CISO.
For what it's worth I would probably have hired Susan too (assuming she made it through the interview stage). She has admirable creativity, good leadership skills and she is bold enough to take it on. Importantly though I would make the appointment conditional on being given the budget to complement her with two (ideally three) others in order to make the shape whole against the BLUE benchmark as illustrated in the Finger Print above.
That is the real point here – the CISO role requires a team of people and someone like Susan could well play a meaningful role on that team.
We have yet to find any one candidate who absolutely nails the profile. Susan is perhaps a weak example (insufficient public data to verify still…) and yes perhaps an extreme example but the issue of the CISO roles poor design and remit is pervasive and Susan has been made a scapegoat for failings that exist in organisations of all shapes and sizes around the world.
SO HOW DO I HIRE A CISO?
Boards should take a good look at what the role encompasses, recognise the weight of responsibility attached to information security is extreme, consider the ever increasing sophistication of the threats, and accept that the time has come to try alternative approaches or at least show you have taken advice from the best on the planet.
For example CISO as a Service models that are led by the world's best exponents of the CISO role (as close to the GREEN and BLUE benchmarks as an individual can get) are a viable solution gathering recognition. In such a model you can blend specialists together to ensure all aspects of the role are properly covered.
HOW DO I ENSURE THE CISO ROLE IS EFFECTIVE
Governance bookends what CISO's do. So once in post make sure the key aspects of governance are firmly in place.
'DOING A RICHARD F SMITH'
The alternative remains of course to simply hang on to the Cyber tiger's tail and hope that you aren't the next Equifax. I think the days of sacking the CISO will be gone soon but not before we have witnessed several more major victims of cyber-crime.
The days of hiring CISO's who can't truly own the brief can and should stop immediately.
Appoint once, appoint well and you can genuinely rest a deal easier that the frothy, nasty, unpredicatble, un-fathomably huge security brief is OWNED!