If you’ve got a “C” at the beginning of your professional title, you’re at the top, or pretty close to it.
That, at least, is the perception of most people below the “C-suite” in an organization.
But, there is a hierarchy in the C-suite as well, and the Chief Information Security Officer (CISO) tends to be stuck at the low end of it, both in influence and respect.
That’s the finding of a survey by ThreatTrack Security, reported in a white paper titled, “No Respect: Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers.”
More specifically, the survey of 203 C-level executives at U.S. organizations employing a CISO found that a large majority (74%) thought CISOs didn’t even deserve a seat at the C-level table and viewed them primarily as, “a convenient scapegoat in the event of a data breach.”
Given the enormous importance of a CISO’s job – to protect the corporate “jewels” from theft or exposure – why is the position what some sardonically call “the Rodney Dangerfield” of the C-suite?
In casual terms, it seems to come down mainly to this: Being a geek isn’t enough.
The majority of executives surveyed believed their CISOs’ skillsets were too narrow for them to succeed as leaders outside of infosec.
Or, as ThreatTrack President John Lyons put it, “the corporate C-suite is a very competitive place. This finding underscores that many C-level peers view CISOs as one-dimensional – the ‘security guy’ only.”
It has actually been worse than that for some time – a CISO and his or her team have for years been frequently viewed not only as “just security people,” but as an impediment to the effective functioning of a business, when they seek to impose security restrictions on workers.
A frequent complaint about CISOs is that they don’t know how to, “speak the language of business.”
And according to Lyons, that leads to a lack of respect. “Trying to enforce rigid security mandates and policies that others view as barriers to progress and productivity no longer works in today’s fast-paced, technology-driven corporate environments,” he said.
In short, to gain respect in the C-suite, CISOs have to work to be viewed as business enablers, not impediments.
“To be respected, CISOs must demonstrate their ability to view business problems from different and multiple lenses,” said Gus Anagnos, vice president of strategy and operations at Synack. “Security decisions can, and in most cases do, have a broad impact on a company.”
He agreed that CISOs have to overcome the perception that they are introverted technocrats and little else. If they can’t discuss much outside of IT issues, “executive peers can interpret this as an inability to see and understand the big picture, leading them to conclude that CISOs are ill-equipped leaders,” Anagnos said.
That is the way Jason Clark, CISO at Accuvant, sees it as well. “To gain respect, the CISO needs to be a business-savvy executive who needs mentoring from either the CEO or CIO, or from another top CISO,” he said.
Dave Frymier, CISO at Unisys, agreed. “Any security – military, protecting the Pope, information security – is a balance between risk and usability,” he said. “Unless CISOs understand at least something about organizational objectives and business needs, they won’t be able to make, or explain, that tradeoff in a meaningful way.”
Chris Wysopal, cofounder, CTO and CISO of Veracode, has a similar message. He said CISOs should, “focus their attention on ideas that truly add to top-line business value. Understanding how to position security as an enabler for winning, serving and retaining business for the enterprise is essential,” he said.
He added that part of the problem is that the CISO role, “is relatively new and currently being defined compared to the more established C-level executive roles. What CISOs are discovering is that their security skillset is only part of what is needed for longevity.”