13200565_sLast week, during a SoSS report pre-briefing, Chris Eng was discussing our prediction around CISO tenure and said: “Who wants to be a CISO these days, not me.” Even with SoSS Vol5 predicting CISO tenure would shrink, it was shocking to hear our research VP make such a statement.

Our CISOs tenure prediction is based on the fact that major breaches, or even a string of minor ones, can wreak havoc on a CISO’s career. Our research shows that new software isn’t being developed securely. There’s a 70% chance an app being tested for the first time will have some significant and exploitable vulnerabilities. I don’t know about you, but I like to carry an umbrella when there is a 70% chance of rain. With those odds it’s easy to predict a significant breach is in the future – it’s really hard to succeed as a CISO when there are a constant string a breaches occurring under your watch.

Breaches also throw a wrench in any strategy a CISO has – everything gets put on hold until the clean up gets done. Any role with “Chief” as the first word should not be a ‘deal with daily disasters’ job. They should be agents of corporate change operating with a strategic plan.

Consider all the application security related change which CISOs should be enabling. They should be working to change internal development organizational cultures from one of “time to market always trumps security” to one of actively managing software risks and pride in creation of rugged code (Who Creates a Successful Application Security Program?). Changing how enterprises procure software from commercial software vendors and outsourced development firms – in some cases creating the third-party security policies and procedures for the first time – in other cases putting the capabilities in place to enforce existing security policies for the first time. Figuring out how to support the enormous wave of BYOD by managing the risk personal mobile app downloads pose to business’ mobile apps and data. Not to mention CISOs must adapt their business protection schemes because the threat landscape is constantly changing. CISOs also deal with the added problem of being change agents in departments where they typically have no direct reports (development, procurement, etc) and have little budgetary weight to throw around.

In large organizations, it is really hard for a new chief of anything to achieve meaningful results in 18 months. Conventional wisdom suggests that the first year is learning about the job and forming a viable strategy. At best a new chief can identify and implement a few tactical projects that could be foundational in those first 12 months. If the CISO tenure is really 18 months or less it means that the role is in a constant state of implementing stop gap measures – instead of being the strategic agent of corporate change that the job actually requires.

So after thinking about all of this I can understand where Chris’ sentiment comes from. Being a CISO is no easy task. So to all you brave souls that are Tackling the Culture of Insecurity with a Chief in your title – I salute you!

About Jasmine Noel

At Veracode, Jasmine’s efforts are focused around market research, content development and sales enablement efforts. Previously, Jasmine was a founding partner of Ptak/Noel, an industry analyst and marketing consulting firm. Prior to that she also served as director of systems and applications management at Hurwitz Group, and senior analyst at D.H. Brown Associates. Jasmine holds a bachelor of science from the Massachusetts Institute of Technology and a master of science from the University of Southern California.

Comments (1)

Marty Carter | April 17, 2013 10:06 am

I really liked the line in the article that stated CISO's should be 'agents of corporate change operating with a strategic plan'. Very true and I agree, but I would argue it comes back to the age old problem of striving hard to be "proactive", with regards to strategic security managment, but generally finding that all you're able to realistically achieve is a structured "reactive" approach because of the day to day pressures of having to firefight at the operational level when, as the article says, as the CISO you should really be managing things at the strategic level.

Of course, I don't aim this example at a pan organisational level, each business is different and I'm sure (I hope) there are CISO's out there who have the necessary operational level resources in place to react to and manage those breaches when they happen and take the responsibility for carrying that umbrella to cater for the 70% possibility of rain! A utopian and optimistic outlook maybe, but I do live in the hope all the brave souls that are out there tackling the culture of insecurity as CISO's aren't all facing an uphill battle.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.