The conversation CISOs don't have that gets them fired

Chief information security officers are spending a significantly short time in their organisations despite knowing their stuff, because they simply aren't talking with the organisation's board in the right way.

Businesses aren't having the right conversations in the boardroom with their chief information security officers (CISOs), and they're investing in all the wrong areas, according to Websense chief security and strategy officer Jason Clark.

In a media round table on Wednesday, Clark said one of the problems CISOs face is that having technical skills is simply not enough, and it's resulting in a massive burnout, or a waste of otherwise good talent.

"The average CISO in a Fortune 1,000 lasts 16 months in a job," Clark said.

"They might be very smart and very good at IT, and they might actually know the ways to stop the bad guy, but they don't know how to articulate that and be business enablers, talk to the board, and sell the business on why they need to do that."

Without keeping the board in the loop, Clark said that it's only a matter of time before the CISO gets frustrated or fired.

"They try to come down and just start locking things down and control, control, control, and they don't last very long, and they're out," he said. "Either they get frustrated because nothing moves, or the business says get rid of that guy, he's crazy, he's causing problems!"

But the blame doesn't lay solely on the CISO, either.

Clark said that the boards of organisations many times aren't talking to their CISOs enough, nor are they even asking the right questions.

"We ask, 'Do we have any repeat findings in audit?' The answer is generally no or one or two minor ones. [Then we ask] 'Do we have any brand new big risks we should worry about?'," he said, providing an example project like rolling out iPads might create new risks, but nothing is looked at beyond bare-bones compliance. "That's just the wrong conversation.

"They're in there 15 minutes and they say OK, thank you, and goodbye."

Clark said that the conversation should instead be about business risks, threat models, and how the business is measuring itself to each stage of an attack. This could include the CISO asking what the most important business outcomes are, as well as outlining the potential threats to them, and identifying where the company's security posture is, to at least quantify the gaps.

According to him, these sorts of conversations should be happening at least once every quarter, if not once a month.

Finding funding to address the gaps, and picking what technology is used is another key area that Clark said businesses fail at thinking carefully about.

"Today, organisations are [stuck in] compliance and infrastructure-based security programs, which means they just check the box and they go buy what all their friends are buying or what their vendors are telling them to buy."

He argued that from the organisations he's seen, 80 percent of their security focuses on firewalls, intrusion prevention systems, and endpoint security.

"That stops somewhere between 28 to 35 percent of the problem. So 80 percent of your money is going somewhere that only stops 35 percent of the problem. That's a major gap."

Clark acknowledged that while security spending could do with an overall increase, the reality is that most are making do. But, according to him, there are still many better ways that their existing budgets can be spent.

He provided the example of antivirus products, and how they frequently miss new products. Instead of spending a theoretical $10 per user from one of the top-tier antivirus vendors, Clark said that organisations could look at moving to an open-source alternative that might only cost $1 per user.

While there would be a reduced ability to detect malware, Clark argued that given the low detection rates, the difference would be minimal, and the savings could be spent on better addressing the root causes of the issue.

Show Comments