Who’d want to be a CISO?


Lets face it, being a CISO (Chief Information Security Officer) is no bed of roses. The ultimate responsibility for protecting the organization against a rising tide of hackers and state sponsored cyber spies intent on breaking in and stealing information rests firmly on the CISO’s broad shoulders. Being the CISO in most companies today usually means being starved of resources for additional headcount, tools, and services, while you spend each and every day with your back against a wall! And did I say every day? Being a CISO is not a nine-to-five job. You need to keep your wits about you during the dark hours when your boss and most of the Executive Leadership Team (ELT) are out for dinner or sleeping soundly in their beds. The ‘witching hours’ are between 7pm and 7am and at weekends when cyber criminals know all too well that the fort is unmanned and they can usually get away with whatever they want – largely unnoticed.

7pm US Eastern Time, is breakfast time in Beijing and Shanghai where many of China’s best cyberspies work. The Peoples’ Republic of China (PRC) has invested in vast campuses full of specialized Peoples’ Liberation Army units, whose role is to attack foreign organizations and steal not just defense secrets, but also commercial secrets that may help Chinese companies to catch up with and surpass their western counterparts. Despite an agreement between President Xi and President Obama in 2015, the dashboards of western Security Operations Centers stay lit with the Chinese IP addresses of active attackers every day and every night. According to a former FBI Special Agent, “China's corporate cyber-espionage apparatus is too big and too effective to shut down". "The genie is out of the bottle" he concludes.

7pm US Eastern Time marks 2am in Moscow when club revelers call it a night and return to their flats amongst the sprawling public housing projects. While they have been out clubbing, their neighbors have been busy testing the cyber defenses of their latest targets. The Hackers here are more ‘freelancers for hire’ working on occasions for the government, the FSB or perhaps for a favor for someone well connected, but just as equally for themselves, paid by the job or paid by results. Entrepreneurial and opportunistic, these are the ‘shadow–dwellers’ who prey upon the weak and unprotected with phishing campaigns, malware, and much, much worse – anything that could generate them income, today, tomorrow, or next month.

The Russians and Chinese are not alone, they are just the largest adversaries by volume on the CISO’s situational threat board. It’s fair to say that in a global economy, the threats don’t just come out at night, it’s just that the attacks seem scarier when everyone else has gone home for the night and its dark outside!

The CISO has to be aware of not just the constant attacks against his or her network, or the spear phishing campaigns against users attempting to get them to unwittingly reveal secrets, or to click on a link that will deposit a dropper or other malware on their company computer. It’s a continuum of threats and risks that the CISO and his team have to defend and protect against. And when something goes wrong and some nefarious bot or person gets by the paper defenses? It’s the CISO who takes the fall, and takes responsibility for everything that went wrong leading to the breach – lax controls, inadequate staff for 24 by 7 operations coverage, no budget for user security awareness training, a mish-mash of out of date security products and applications, and the CIO or CFOs decision to select a proposal from a less-expensive implementation vendor who undercut the experts who actually knew what they were doing!

Decisions are often made by those above the CISO, safe in the knowledge that they have a ‘fall guy’. No wonder so many CISOs start updating their resumes, the day they start a new job! It’s a thankless job - a very, very stressful job, and if it were paid by the hour rather than salaried, CEOs might just begin to understand the level of expertise required and work involved to secure a company from dynamically changing cyber threats.

Despite the challenges of the job, the role of the CISO attracts some of today's brightest and the best corporate executives - those able to understand, protect and promote the success of the business, and able to negotiate the boardroom and ELT politics, yet at the same time understand the intricate complexities of risk, security, privacy and compliance and the associated technologies used to monitor, measure and protect the business from cyber attack.

It takes a unique and broad set of skills to be a successful CISO, but it also takes a certain kind of person, one that doesn't give up easily and can get back up after being knocked down. Vision, passion, dedication, perseverance and sheer tenacity are key traits that usually come to mind for the job. The role of CISO is changing however, from a deeply technical role implementing tools within IT, to an executive role managing and reporting enterprise security risks to the ELT and the Board.

Retaining top CISO talent in a highly competitive landscape where demand massively outstrips supply is becoming an increasing problem however. CISO salaries have risen sharply over the past two years and the trend is showing no signs of slowing down. In fact CISOs in the big US cities can make in excess of $350,000 to $420,000 based upon studies by SilverBull and by Healthcare IT News. CISOs are increasingly being asked to present directly to the board on an ongoing basis, and IDC predicts that “by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, rather than the CIO” which has been the norm till now.

With over one million open cybersecurity jobs, and average CISO salaries in sharp ascent, its clear that effective CISO’s are desperately needed and will continue to be a challenge to attract and retain.

SecurityCurrent Average CISO Salary Report, prnewswire.com

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.