Why a CISO's job has never been more public or chaotic

Enterprises shouldn't be reinventing the wheel every time a Chief Information Security Officer steps up to the plate. The CISO Reporting Project aims to arm the CISO with what they need to make the Board listen.
Written by Violet Blue, Contributor

The critical nature of an organization's Chief Information Security Officer role has never been so prominent -- or public.

It's a young role, historically speaking, but not so new that an enterprise should be reinventing the wheel every time a CISO steps up to the plate -- yet, this is exactly what keeps happening.

According to those paying obsessive attention to the CISO's story arc in our modern security dramas, despite the role's gravity, research shows that most CISOs have been in their role for less than 12 months. This relates directly to another problem the young role faces: Currently, there are still no industry standards or templates for CISOs to leverage when they report to the Board on security metrics.

Trey Ford, Global Security Strategist at Rapid7, is one of those CISO-obsessives studying the research and looking for solutions.

Spearheading the The CISO Reporting Project, he's aiming to crystallize CISO reporting behaviors; explore what's really going on in the array of CISO permutations; determine what's going wrong (and right) in everyone's reporting to the Board; and establish an actionable, baseline snapshot of CISO needs.

With Nicholas Percoco, Vice President, Strategic Services, Rapid7, Ford announced and presented the preliminary CISO Project release at RSA on April 20 (PDF slides here) revealing the results of surveying 60 CISOs across a variety of sectors.

When we caught up with the Project's team after their first survey round, we asked about where the project is seeing things go haywire the most between decision makers, CISOs and IT/security/engineering staff: Chiefly, communication.

Ford explained: "We probably all know this, but may not be fully aware of it -- executives need three questions answered in any interaction we have, especially in the boardroom:

1. What do I need to know?
2. Why do I care?
3. What do you need from me?

"Knowing your audience, and what financial and/or performance incentives drives each executive, helps to inform questions one and two. Question three is the real humdinger," Ford said. "If you don't need anything, why present? If an executive doesn't care enough to engage or help, are you simply there to vent, and tell them how you feel? Having a 'clear ask' is table stakes."

The message will almost always be lost.

Part of this is a challenge presented by the relative immaturity of the information security discipline. Law, Politics, Engineering, Medicine, Commerce - these have been in play since the dawn of mankind. Finance is one of the easiest examples to point at -- if you ask the CFO how the company is performing, they have the GAAP (Generally Accepted Accounting Principles) and may point you to the SEC required Form 10-K if the company is publicly held and traded.

Ford added, "That's extremely mature. Now ask the CISO, 'how is our corporate security program performing?' -- and watch an extremely bright executive change colors and grasp at straws in offering a response you might relate to."

Most CISOs are still navigating without a map, albeit with the advantage of having excellent directional skills and communities that want to see the role thrive.

The OWASP CISO Survey has helped to alleviate confusion around best practices in 2014's CISO-grinding wake, when the end of the year found corporate leadership asking more about their security program, and how they could avoid seeing their brand juxtaposed with Nieman Marcus, Target and Sony.

Ford told ZDNet, "2014 taught the public about how important the work we do actually is, specifically in what catches the attention of the general public. At the end of last year, I saw more researchers and practitioners being tapped with executive roles, promoted to CISO positions to lead security for the company in a formal way."

The CISO Reporting Project's surveys are just the beginning. Ford told ZDNet that a whitepaper is in the works after the survey clears 100 non-infosec specific CISO responses. "We're aspiring to build a framework for a more unified reporting by CISOs," he said. "Our plan is to build resources to help first time CISOs hit the ground running, while helping present a unified front across the industry to corporate leadership."

With a new hack attack seeming to hit the headlines every day, the sooner the better.

In the meantime, tell your CISO friends, your CISO in law, or your friend's cousin's CISO to take the survey here: bit.ly/CISOSurvey2015 (it only takes 15 minutes).

Editorial standards