The Difficult and Dynamic CSO Job
Updated: Apr 18, 2019
Cybersecurity and privacy started with "urgency" in 2019 and are ramping up forcing the corporate owners to work ahead of normal planning and budgeting. The CSO (Chief Security Officer) is on the front line and has one of the hardest jobs in any technology company. (We feel confident saying that without going too far out on the proverbial limb.) If a business is developing software and services, the job is that much harder.
In addition to cybersecurity and the technical aspects, there are also physical security responsibilities (of employees, facilities, devices, etc.), privacy concerns (which are not security, but considered by most as the same thing), and compliance requirements (which are shared with legal). It can be a real trick balancing and juggling all these aspects. The CISO (Chief Information Security Officer) does not have as much scope (debatable) yet might be more accountable with less of the visibility, resourcing, and empowerment/sponsorship needed to be successful — often a CISO only gets a "seat at the table" in the CxO suite when there is an incident or other bad news to share. But for this post, we'll consider CSO and CISO as equivalent — really anyone who is the corporate "go to" person for security and privacy even if they do not have a title that includes "security".
A CSO could list several more, but here is a short list of challenges the Cylidify encounters frequently:
Politics and influence — not reporting directly to a CxO or having regular access to the board of directors. If you report through IT (and not directly to the CIO) or through some other organization that doesn't provide the right visibility and opportunities to represent security and privacy holistically, you will end up being reactive, which is not good for your mission or the business as a whole.
Budget and resources — managed/allocated in a profit center (versus cost center), as a fixed budget, or as a budget shared with other departments. You should have your own budget with a component that is dynamically computed based on the departments that you support. It's tough enough to get proper funding to match the business growth and shifting imperatives/goals, but near impossible if you are fighting for the leftovers or constantly having to justify the ROI.
Drive compliance, but not enforcement — you need to be able to set policies and specific practices but shouldn't directly police/enforce them. You should be chartered and empowered to drive compliance. However, the real ownership, accountability, and resourcing should reside with the leadership in the responsible department (e.g., IT or R&D). If you have to police and enforce across the company down to individual contributors, you will become avoided and embattled, leading to unpleasant escalations and lower overall compliance.
Incidents — being reactive versus proactive. Dealing effectively with incidents and making the best of these opportunities is a significant challenge. Many businesses only understand security ROI when measured in the context of an incident or breach and the corresponding response activities, fines, lawsuits, lost customers, tarnished brand, etc. Even in those cases, the follow-up discussions tend to be less about how to "left-shift" security and privacy (minimizing costs and maximizing value to identify and protect), and more about how to detect, respond, and recover better and faster (thank you NIST). All are necessary, but there must be a balance.
How can Cylidify help? Cylidify leans toward "an ounce of prevention," but we can also provide you with "a pound of cure." We have worked with many CSOs and understand the challenges of the job. We can be a sounding board or second opinion, but also have blog and training content you can leverage in implementations. Additionally, we can provide direct or referral resources to assist — from planning and scoping through to incident response or security implementations. We can help you make a case for additional and investments (early in the process), then defining the ROI and navigating the resourcing challenges and crowded, noisy market of security platform and tool vendors for implementations.