A CISO is Not a CISO when: * They lack the requisite qualifications: A CISO should possess a deep understanding of cybersecurity principles, industry standards, and best practices, often supported by relevant certifications. * They do not have executive-level authority: A CISO needs the authority to make strategic decisions, allocate resources, and influence organizational priorities to ensure adequate cybersecurity measures. * Their cybersecurity strategy is misaligned with business objectives: A CISO must develop a security strategy that aligns with the organization's overall goals and risk tolerance. * They fail to communicate effectively: A CISO should be able to articulate complex security concepts to both technical and non-technical stakeholders, fostering a culture of security awareness. * They neglect risk management: A CISO must continuously assess and manage risks to the organization's security posture, ensuring proactive protection against threats. In summary, a CISO is not a CISO if they cannot effectively protect the organization's assets, ensure compliance with regulations, and maintain a secure environment while aligning their efforts with the broader business strategy. *** Note, this posting is not meant to differentiate infosec/cyber leaders by job titles alone.
Tom, I love your article! Two things: First, I argue there are no such things as "best practices." We may use common practices as a starting point, and there may be legal and regulatory requirements that prescribe specific practices, but those are almost never the BEST practice in any given risk environment. For example, I've written a spate of articles about password complexity rules and frequent change rules, which are followed as "best practices" even though they actually incur a realized loss far greater than any security risk they mitigate. Second, many enterprises subordinate security leadership and domain expertise to finding a specific progression of TITLES through similar corporate entities. This may mitigate your point about a misaligned strategy, but it also tends to focus on non-security skills, capabilities, leadership, and communication experience. In other words, their search criteria are upside down but rarely stated that way. But your last point is solid gold, and my first point above reinforces it: a CISO must apply risk management principles to everything he does, and he must include both upside and downside risks from other business functions than just security. Thanks for a great post!
A CISO should refuse to take MCQ ( multiple choice questions) IT security certification https://www.businessinsider.com/mark-zuckerberg-technical-skills-important-leadership-management-2024-9
Its also important that companies do not use the CISO as a scapegoat when there is a breach or other incident. Those events are learning opportunities for the individual and the entire organization. Companies that fire their CISO because an APT beat their team's defenses remove the foundation of their security structure and create a culture defined by a fear of failure.
A GRC discipline so embedded and dedicated to IT controls that one became all but indistinguishable from the other for a generation or two... It's good to be a part of the path toward a homecoming. Hopefully ESGRC Architecture is more than a side quest along the way.
Sounds alot like the material tested in the CISM exam
Security Strategist | vCISO | CPE | CICP | CISSP 🛡️
2moGreat points. How do you spot organizations who hire the "Not a CISO" roles?