Leadership: how to fix the seniority of the CISO
12:00 Monday, 04 January 2021
UK Cyber Security Council
We have explored in a previous article the reporting line of the CISO. Of the first ten CISO job ads we looked at, just one had a direct line into the CEO – the rest reported into lower-level people such as the CIO, COO or Chief Risk Officer. Part of this is because security is considered not to be a “C-level” function, but part of one of the other Cxx’s departments (and, as we noted, precisely which one varies from company to company).
And this is unsurprising if one looks at other prominent risk-related areas such as data protection. Article 38.3 of the GDPR states that: “The data protection officer shall directly report to the highest management level of the controller or the processor” – which at first glance contradicts our argument – but in reality, this often doesn’t happen in an organisational chart sense. So the DPO might report to the CRO, who in turn reports to the CEO, who is accountable to the Board. This happens because the law is unclear, as “directly report to” does not necessarily mean “have as his or her line manager”. Even the EU’s own “Guidelines on Data Protection Officers” document implies that the DPO can be a relatively junior role, noting that “Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level”.
So if we can’t habitually have the DPO as a C-level position - despite all the publicity and evidence about the criticality of data protection - how can we change attitudes so the CISO reports into, at least, the CEO. Well, one approach is to campaign for it to happen: the CISO can run a regime of informative, eye-opening, candid and unbiased reporting for consumption by the higher-ups, with a clear risk-based approach that makes them understand the security risk profile of the organisation (and we will look at reporting in a future article.
But there is more to it even than that: if you, as CISO, convince senior management that your role should be a proper C-level job, you presumably also want them to think that you should continue to hold that role when it moves up to C-level?
Cxx roles are leadership roles. To be worthy of stepping into one, and to stand any chance of succeeding in one, leadership skills are essential. Poor C-level performance is often not a result of a lack of understanding of the subject matter: although there are exceptions in all walks of life, in the majority of cases poor CFOs know their way around finance and poor CTOs have a decent understanding of technology. The difference is partly based in experience, but mostly in leadership skills (of which a good part comes from experience, of course).
So if you’re a CISO and you believe your role should be more senior, look at your leadership skills. If your organisation is any good you will have access to coaching, mentoring and leadership training – and if it isn’t, you can look outside your organisation to peers whom you respect and ask if they’d mind, say, meeting every six weeks over coffee for a mentoring session.
The CISO role is, generally speaking, worthy of a position on the executive team. The common question is whether the individual in question is, too.