The CISO shouldn't be the defender of security: Gartner

Many CISOs are charged with having to defend their organisation against attacks, but when breaches actually represent a business risk, why aren't company boards providing any input?

Despite CISOs having the words "information security" in their title, their role should not be that of the company's defender against hackers and online attacks, according to Gartner vice president and security and risk management chief of research Paul Proctor.

Speaking at the Gartner Security and Risk Management Summit in Sydney on Monday, Proctor said that too often, the CISO is seen by a company's board as the one responsible for ensuring that the business is protected against attacks. However, he argued that when this happens, the board isolates itself from business risks with the excuse that they are IT problems.

"CISOs are their own worst enemy when they position themselves as the defenders of the organisation, because it lets the executives skate on accountability," he said.

As a result, Proctor said that CISOs find themselves arguing for more money from the board, and the board itself doesn't see information security as a risk-mitigating exercise, but rather as a continual payment for "perfect" security.

Although no system can ever be considered perfectly secure, Proctor said the board doesn't often see it that way, and, separated from the business risks, doesn't realise that cost savings can be made if an acceptable level of risk is established.

"Choosing to save some money and experience more risk is a legitimate business decision. The failure is allowing executives to live there without it being a conscious choice."

By simply asking for money, Proctor said that CISOs are faced with a board that looks at past performance, sees that no or few security breaches happened in the previous year, and assumes this means that the CISO is using their existing budget accordingly, even if it's woefully inadequate.

Proctor said that CISOs need to change the narrative by not asking for money, but instead asking for decisions on how much risk the business is willing to take, and providing the right defences accordingly.

This means that the CISO also has to reach out to the board in terms they understand. He provided the example of an automotive manufacturer, where production rates for vehicles were well known. Rather than telling the board that an IT incident might cause several hours of downtime, Proctor said that the CISO quantified the risk in terms of actual lost inventory.

"They report lost cars to their board, not IT downtime, because their board cares about cars; they don't care about IT."

Proctor's other suggestions for changing how the CISO performs in their role included ditching the use of fear, uncertainty, and doubt (FUD) as a tactic to convince the board of the need to spend. He said that it has limited value, as the CISO has no control over the threat itself — only the company's readiness, which is a much more positive viewpoint.

He also said that even though it has been drilled into organisations far and wide, he still sees too many CISOs using tech-laden presentations in an attempt to communicate with the board. Technology should be abstracted out of these conversations, he said.

But conversely, he said that these sorts of discussions should also be used as an opportunity to re-educate the board that information security is not just a technology-based problem.

"They believe security is a technical discipline handled by technical people buried inside of IT. You need to instruct them that there is no such thing as perfect security. They don't understand this. Introduce them to their choice to spend more to lower their risk, or spend less and accept more risk. Trust me, it makes them think."