CISOs are too busy firefighting to develop the skills they need - TechUK podcast
12:00 Saturday, 27 March 2021
UK Cyber Security Council
In its March 2021 podcast, “Where should the CISO role sit in an organisation to be most effective”, TechUK explores the skills a CISO needs in order to engage effectively at executive and board level, and indeed to raise the CISO role to become part of the top-level executive team.
J-C Gaillard, Managing Director of Corix Partners, talks of the changes in the CISO’s role over the 20 or so years CISOs have existed. “The first decade of the [21st] century [was] very much about risk and compliance”, he says, “and the CISO [was] very much an information risk officer, an information risk manager, and the drivers are all in the risk and compliance space”.
From 2010 the CISO has no longer been about risk and compliance. J-C continues: “CISOs have become firefighters in the face a non-stop avalanche of cyber-attacks they have had to fire-fight all the time”, and notes also that this issue has been further exacerbated by the Covid-19 pandemic of 2020-21.
“It’s a problem in the sense that there are all sorts of skills you don’t develop when you are constantly firefighting technical problems”, says J-C.
Dynatrace SVP and techUK advisor Jason Tooley also notes that although the CISO role has a higher profile and a larger budget than ever, it has yet to become a C-suite role or even a board-linked role in a widespread sense, despite the fact that other roles that might be perceived as sitting at a particular level in the organisation (Jason uses the much newer Chief Digital Officer role as an example) is increasingly being elevated to the C-suite.
J-C states his view of why this is: “The CISO role has not developed … because the CISOs have not developed in that way themselves because they’ve been constantly pushed into firefighting. They’ve not been able to get out of firefighting mode, and when you are constantly firefighting cyber-attacks you do not develop the kind of managerial skills, the kind of political acumen you need to engage in a meaningful manner with the Board”. “That’s the corner we need to turn to start either developing the role of the CISO so that it does turn that corner or indeed changing the organisational model so that somehow the right type of people engage with the board on those matters”.