Wearing the CISO Hat
As someone who works in the CIO/CTO role in smaller organizations, I often have to act as the CISO and sometimes even as the compliance officer.
As someone who is not a security specialist, there are a number of disadvantages to taking on the role of CISO. The most obvious problem is that I’m working outside my area of expertise, and potentially facing adversaries who are very skilled. I could be found liable if it can be shown that I was negligent in some way. Sometimes I have to spend a lot of time researching an area I’m not familiar with, which lowers my productivity. All of these factors can make my job more stressful. However, for startups and small businesses, sometimes even a virtual CISO is too expensive, and I have to find ways to make the best of the situation.
Another struggle, which most security leaders can probably relate to, is the difficulty of convincing the business to allocate scarce resources to security. If you invest developer time in a new product, it’s easy to see the investment pay off in revenue from the product. It’s not easy to see how investments in security pay off because you can’t account for the cost of a breach that never happened. When security is a separate team, the debate about allocating resources can take place once a year in the C-suite. When security is one role among many of the technology team, the resource allocation debate happens in every weekly planning meeting, as I try to convince business leaders to allocate time to security or compliance instead of revenue-producing projects. Business leaders can get frustrated when they see the cost of security and compliance on a daily basis, but never see quantitative benefits.
Since I sometimes have to take responsibility for security, I have to find ways to make it work. I have learned to quickly recognize what I don’t know, and to be comfortable stating what I don’t know to my peers and clients. The business decision makers need to understand when I’m doing my best under the circumstances, and better results could be obtained if we could allocate resources to bring in other expertise. I also need to acknowledge when I’m totally out of my depth and make sure that I get the resources I need. Despite the disadvantages of having one person be the CIO/CTO and CISO, the situation does create a unique opportunity.
As CIO/CTO and CISO, I have the opportunity to create a security culture throughout the technology team and lay a strong foundation for a future CISO. Most importantly, I can set an expectation that security and productivity are not mutually exclusive. A security team that operates in a “silo,” out of touch with the rest of the organization, can be more dangerous than useful. When the security team’s only goal is security, they can just say no to every request, and implement controls that impact the ability of everyone else to do their jobs effectively. When faced with the choice of following security rules or getting their job done, most employees find ways to work around security controls.
I saw one glaring example at a branch office of a large global corporation. For “security” reasons that nobody could explain (because all the IT and security decision makers were far away), all LAN traffic was actually routed over the WAN to the central IT office. As a result, file transfers on the LAN were incredibly slow, so the office was infested with unencrypted USB drives (which were forbidden by policy). The “secure” network design actually made the company less secure. Whenever I’m training employees on security and compliance, I emphasize that every process in the organization can be carried out in a way that is secure, compliant, and efficient. If they ever find themselves unable to carry out their duties effectively because of security or compliance controls, they should come talk to me, and we’ll find a better process.
It’s not ideal to have the same person fill the roles of CIO, CTO, and CISO, but sometimes business conditions make it unavoidable. It’s better to have someone be responsible for security than to have no one be responsible for security. It’s better to conduct an imperfect risk assessment than none at all, and it’s better to have weak plans or incomplete policies than to have none. In the worst-case scenario, honest efforts will play out far better than willful ignorance in front of a federal regulator or a jury. If you are the CIO or CTO and you aren’t able to hire a CISO or virtual CISO, don’t be afraid to start taking responsibility for security. Somebody has to do it!