I have been participating in NG Security European summit lately, where there were lots of nice presentations about how CISOs are perceived by Board and Business Leaders. And the resuts are frightening. As IT needed decades to get at the Board level, Infosec isn’t mature yet and need to evolve its way to sell itself better.
I do believe all CyberRisk Issues should be sorted out at Board level. I struggle daily to convince this should be as is, but frankly most top-managers don’t care and just believe it is a « computer guys » problem, that should be solved by those (using an antivirus or a firewall, obviously!).
During this conference, amongst all those brilliant presentations of all CISOs dealing with exactly the same issue of trying to get their way to their boards, I’ve just been shown a report about outrageous numbers: CEOs don’t trust CISOs. Most claim CISOs aren’t able to fulfill any other board-level position because they aren’t « smart enough » to be top-managers Unfortunately I do believe those figures are true, based on my own experience. I even sometimes believe that I should add a MBA on my experience, just because of this reason. Being seen as « just a techie » is very negative and counterproductive. And techies, hackers, are coal-mine workers. Seriously. Why would executives care about coal miners?
I do believe the main issue is misinterpretation of Infosec. Thanks for this new « Cyber » word (I know, its not a nice word, but let’s use it anyway), it’s slowly making its way into CxO minds that Cyber is important enough to be strategic, even if a vast majority of those just believe those problems are not theirs. I had discussions with CIOs during several steering committees. Most of them said a vast majority of business leaders see IT as « pc repair guys » (that don’t perform well, as it’s always slower, less sexy and more restrictive in the office environment than at home where they use iPads and Macs, play games, and surf everywhere). Yes. CIOs are « PC repair guys ». Sadly. And obviously CISOs are « those antivirus guys ». Sadly, again.
The issue is not Infosec. It’s probably the whole IT, as the term « Technology » in it says it well: it’s for techies (or is perceived as is).
Let’s change that!
2 days ago I was discussing about the issues a vast majority of minorities (!) have to convince others they are as « normal » as others. Such as women in STEM. I guess this issue is a real societal plague, and that also applies to « techies », not seen as able to bring their expertise, but seen as persons you can’t count on because they « aren’t smart enough » for board members. I witnessed and experienced this personally, and felt how those « top » managers are judging every single individual using stereotypes and very often wrong perception of real values.
The « Club des Vigilants », as well as « Chatham House » think-tanks I’m (a proud) member of, are very valuable because they both believe we should rely on *all* kind of people to take smart decisions on our future, because humanity is made of diversity, diversity engenders life and is mandatory for long-term. Both those think-tanks promote people from different horizons to be members and let them express themselves, too. I was very impressed, the first time I attended those events, to see all members were placed at the same level. I was sitting at a table with my own microphone, and could ask to speak as freely as Ministers or other super-important people. That is how societies should perform. That is how Switzerland super-democratic system is built and performs (and thus the reason I love it), and I am always sad, when I see some board-level decision makers of so-called « top companies » that are just selfish and not able to see diversity as thrust and a positive thing.
So, how can we act ?
Basically, by changing the way we get perceived. Changing our appearance. Making things be positive, business enablers, useful and trustful. What is the point of so-called secure appliances? What is the point of stacking them, increasing complexity and failure? What is the point of multiplying security « solutions », that engenders more and more problems and anger to the users? I was upset to hear, a few minutes ago, a security vendor telling me to use FUD to sell their stuff to my manager. Wow, that’s not only rude, that’s the worst idea ever.
First, let’s understand the business. What are those guys doing and willing to do? Is their data and way to act really a risk? Do we really need to change anything? Most of the time, I tend to say no, it’s fine like this. And, yes, I accept the Risk. Because it’s not *my* risk, it’s theirs.
What is really the purpose of a CISO dealing with filtering websites, and so-called security things? That’s nonsense, it’s a HR problem. If employees are surfing porn websites during their workhours, maybe it’s because their bosses have a management issue to solve. Why should IT, why should Infosec be accountable of solving this? Nonsense. It’s not because IT can solve it that it has to do it. IT can also do Finance, but ask their CFOs to do it because they don’t want (and don’t have to) take the risk of doing other’s jobs.
So, since a short time, I tend to understand business more and more, and explain them the risk is *their* business, not mine. They produce and handle data, this is their own data, and they are held accountable for keeping it safe. Even regulation says it: data owners are accountable. Not IT. Not CISOs.
Second, let’s put it clear what are CISOs. They aren’t, and shouldn’t been seen as techie coal-miners. They aren’t those firewall guys (preventing people to get their work done). They are business enablers, and are the interface between Business and Operations.
CISOs must translate problems into Business-oriented language. They must translate global strategies and business vision to those infrastructure guys and vendors. CISOs are into the translating business. Business Facilitators. Coaches. CISOs must be those persons that the board isn’t reluctant to talk to, and be trustful enough so the Board and businesses are confident into explaining their strategies and expectations.
CISOs must understand the technical implications, too, of those strategies, and their side effects. And be counselors and advisors to solve those.
And once this is done, CISOs we’ll be able to be accepted by board members. As they should be.