Who Is In Charge, Your CSO or CISO?

June 17, 2019
That decision will ultimately depend on who possesses better business acumen and risk sensitivity

Who is the guardian of your secrets? What tools safeguard the necessary resources to keep your operations going? Who reduces your risk profile? Ultimately, who makes the policies that keeps your organization safe and secure?

In 2017, Steve Hunt wrote a superb article for SIW on this very same question: CSO or CISO, who makes policy? It’s a necessary read and this piece, in many ways, picks up where that one left off.

I suggest to you the answer to these types of questions is always: it depends.  There is no clear-cut answer. In fact, if you seek clear-cut answers, you may end up causing more harm than good. That is why your guiding light should be: whoever understands the business needs of the organization best, and can deliver those needs in a cost-effective, tangible, measurable, and even profitable manner, should be setting policy.

Of course, this is easier said than done. Every organization is different and will therefore have different needs. That issue alone underscores why “it depends” is the answer to this question. Complicating matters, the lack of a clear, or at least consistent, industry-wide definition for each role clouds the decision.

Candidly, given today’s reliance on information to operate any type of business, is there even really a difference between a CSO and CISO? Should there be one? Dare we add the Chief Risk Officer into this conversation too? Christopher Burgess does just that, stating, “the CISO will be at the right hand, if not attached to the hip, of the CRO.”

Who Has Responsibility and Who Has Authority?

The 2008 SIW article by William Plante and James Craft, “The CSO/CISO Relationship” illustrates, with an anecdotal story of a lost ID card causing a breach, is everybody’s problem.  Over a decade later, the challenges that arose out of this anecdotal story would still hold true; except of course the challenges and relationship dynamics have become that much more complex.

Therefore, who makes policy is only part of the question; the other part of the question is who reports to whom, an issue examined very well by Christophe Veltsos in his piece Where the CISO Should Sit on the Security Org Chart and Why It Matters”.

Add to the mix a blurring of where physical and digital security begins and ends, and the waters muddy even more. Finally – and if the above hasn’t left you a bit befuddled – the answer will become even more convoluted when you start mixing in IoT deployment, Big Data, AI, SOAR platforms, and all the other fancy gadgetry purportedly designed to make our lives easier.

I note with humor a Spencer Stuart blog post that says, “The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.” What humors me about the quote is that it is effectively saying “I don’t care who fixes the problem, I just want the problem fixed!”

Poor Policy Will Lead to Unnecessary and Even Harmful Complexity

Two quotes come to mind and they help set the stage.  The first is by Dee Hock, founder of Visa. He says: “Simple, clear purpose and principles give rise to complex intelligent behavior. Complex rules and regulations give rise to simple stupid behavior.”

Quite candidly, the C-Suite officer that appreciates and takes to heart this lesson should be setting policy. But in order to do so, that officer needs to first understand the business. You see, for only a small percentage of firms can “security” be considered a revenue generator; in almost all cases, it is a cost center, a tax on your business.

Or put another way, you can be armed with the all the best security tactics, trickery, and strategy, but if you’re not understanding profit, cash flow, and cost, you may be dooming your organization. After all, even governments show they can run out of money too!

Always Know the Business, No Exceptions

If the policy-setting officer recognizes that their security work – very necessary work to function in a 21st Century economy – is an unavoidable drain on company resources, that individual will be forced to consider what impact their decisions will have on the bottom line (or whatever the ultimate business intent is). That’s the person you want to be setting policy.

It’s not so much a matter of making money, though that is helpful.  Rather, the policy-setting officer that understands the business must inherently also understand continuity of operations. Therefore, the person armed with business and tech savvy is simultaneously your organization’s lethal weapon and ultimate defender.

I would suggest to you that the business savvy part is harder than the tech savvy part. I’ll try to prove it to you with a simple example. If I give you $100,000 to spend, what’s easier: to turn that $100,000 into $200,000 or to spend that $100,000 on a security measure?

Just as Steve Hunt noted, the policy-setting officer that has the business savvy is the one who will be driving the bus. Richard Wildermuth, director of cybersecurity and privacy at PwC said similar, a CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business.”

It’s a System, Not a Unit, and that is Why You Need to Know the Business

Unless the policy-setting officer can successfully turn generate a positive ROI on security investments, the expectation will be to minimize risk in the most cost-effective manner. Or put another way, when determining who should set policy, it should be less of a question of where the physical and digital (or cyber or information technology) realms begin, and even less of a question of the reporting chart.  Rather, it should be more of a question of how the entire apparatus – the “security system” – impacts the business. That’s your first clue as to who should be making policy within any given organization.

And with more of the C-Suite and boards becoming increasingly sensitive to their fiduciary responsibilities over data breaches, it will be the officer who can speak the languages of risk management, profit/loss, and business drivers who should be making policy, not the one who is talking network traffic, anomalous events, and secure connections.

The policy-setting officer who gets these business concepts will always have the upper hand and should also have the support of the rest of the C-Suite and the board. The reason is simple: it is because these individuals should be better positioned to implement a “security system” with simple, clear purpose and principles that support the business mission needs.

The Policy-Setting Officer Needs to be Able to See Past the Noise

One of the authorities on risk management, Nassim Nicholas Taleb, says of intelligence: “They think that intelligence is about noticing things are relevant (detecting patterns); in a complex world, intelligence consists in ignoring things that are irrelevant (avoiding false patterns).”

There is a lot of noise in the IT world these days. And perhaps the first wave of noise is happening right at the foundation of the security apparatus. Here’s why I say that: a recent Ponemon Institute report found that organizations are “suffering from investments in disjointed, non-integrated security products that increase cost and complexity.”

I’d like to interpret this comment from two extremes:

  • Either the policies that have been set are too complex and have become too expensive, resulting in a disjointed, non-integrated security apparatus; or
  • The policies of the security apparatus are so disjointed and non-integrated that they have become too complex and expensive to operate.

Either way, I’m willing to offer this hypothesis: whoever is leading the charge of policy setting doesn’t understand the business model of their respective organization. 

Follow along this path:

  • Step 1: Understand the business.
  • Step 2: Identify the resources needed to operate the business.
  • Step 3: Identify the resources needed to secure the business.
  • Step 4: Make policy.
  • Step 5: Execute your plan.

If you follow this simple step-by-step approach, you’ll minimise the noise.

DJ, Turn Up the Music

In a previous life, I used to disc jockey plenty. Not only was it a passion, it was a job and one that I can proudly say was very successful (minus the international stardom).

What does that have to do with cybersecurity? A lot if you’re going to follow my five-step plan, because if you don’t, the policy-setting officer is just going to turn up the noise.

Any nightclub – or audiophile – that takes pride in their sound system understands this concept: it’s a system! Just one flaw somewhere along the line, a bad connection, poor electrical grounding, unshielded wires, misconfigured equalizers and crossovers, can make the most expensive sound system sound like garbage.

Sort of sounds like a computer network, doesn’t it?

But DJing for me went even beyond the music. In the places I played, I was adamant that the sound system was “clean”. What I meant was I didn’t want a noisy – or more specifically, distorted – sound coming through the speakers. It can damage the speakers and it’s annoying. But more importantly, it’s dangerous to the human ear and can cause permanent damage.

One of my most hated feelings was walking out of a club with a headache because of a noisy sound system. But noisy systems are sometimes hard to detect because with so many other frequencies going on, and at such high volumes, all that “noise” could go unperceived, but the ear is still “hearing” it. That’s where the damage comes in.

That sure does sound like undetected bad or malicious packets of traffic on your network doesn’t it?

Your Role is Not One, Your Roles are Many if you want to Support the System

Having grown up in a family restaurant, I inherently knew what the nightclub business was about and what drove its profits. My job as a DJ was not only to play music that made people happy; my job was to provide an experience to the audience that would also ensure the business would make money. It wasn’t either or, it was both, requiring me to be business savvy as well as tech savvy.

There is also a wildcard factor here too: employees. Every place I played, I made sure I used the employees as an “extra set of ears” to get their feedback. I would even take that one step further and ensure I threw a few songs in for the staff. Why? Because apart from making them happy – a feeling that would pass through to the customers – the staff felt as though were an extension of the DJ. And is doing so, they wanted to support the good functioning system. It created a culture shift.

Name me just one CSO CISO, CRO that wouldn’t love having their organization’s staff buy into a culture that supported the safety and security of its information? I get it that it’s easier when you have your favorite tunes blasting through the speakers, but that’s not to say it can’t be done. Enter interpersonal relationship savvy.

Believe it or not, I had a formula to all of this, but it is separate story and I’m conscious of my writing real estate space here. Here is what is important though: I was only able to come up with the formula once I figured out the business model. I was setting policy in other words, by creating a simple, clear purpose for my job. And in doing so, I filtered out all the noise.

What was the result? Simple, a great experience for the audience, a business that would rake in the cash, happy staff and a smooth background operation that fit well into the entire system.

That is what your policy-setting officer needs to do. It’s not so much what they are called or where they sit on the org chart, but rather, do the policy-setting officer have the responsibility and authority to support the business mission needs. And all very similar to Steve Hunt’s three go-to moves:

  • Continual Improvement
  • Continuous Coaching, and
  • Measurement & Recognition

The Winning Formula

When deciding who your policy-setting officer should be in this “cyber-everything” world, there may be an urge to go with the person who has the most proficient technical skills. It’s understandable, but it doesn’t necessarily mean it is right if they don’t have the accompanying business and interpersonal relationship savvy that are necessary to support the system.

That’s the winning formula right there: business savvy + tech savvy + interpersonal relationship skills. If that person is drafting and executing your organization’s security needs, you’ll be in better hands than most.

About the author: George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related to business development, risk/crisis management, resilience, cyber and information security, and cultural relations. His primary focus is on human factor vulnerabilities related to cybersecurity, information security and data security by separating the network and information risk areas. Some of the issues he tackles include: business continuity, resilience strategies, social engineering, insider threats, psychological warfare, data manipulation and integrity, and information dominance. George is a director of cybersecurity at FTI Consulting, based in Washington, D.C., an educator, author and a founding member of the #CyberAvengers. He holds a bachelor's degree in business administration and has graduate degrees in business administration, disaster and emergency management, law and cybersecurity. He has completed executive education in national/international security and cybersecurity at Harvard University, Syracuse University and the Canadian Forces College. The views expressed by the author are those of the author and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates or its other professionals. For more from Mr. Platsis check out his website at https://georgeplatsis.com/.