Want to be the best CISO you can be? Take a word of advice from Todd Fitzgerald, Global Director of Information Security at Grant Thornton International, who gave a detailed and often entertaining presentation on Friday, the last day of the RSA Conference.
Fitzgerald talked about his own journey to becoming a security professional, the current state of security affairs, and what’s needed going forward. He called his talk “Super CISO 2020: How to Keep Your Job,” and it was especially timely given security's current high profile, and the CISO’s need to stay current.
Fitzgerald drew examples from his own life to show that using technology to improve security has been the way of things for a very long time. He showed an old photograph of his grandfather, who in the early 20th century designed a device to protect safes. His method was simple. Four tubes of glass containing tear gas were cemented inside a safe and would be released if the safe was cracked. “You can still find some of these today, but if you do, call the bomb squad because that tear gas mix has now turned into the consistency of nitroglycerine,” he said.
Why Does a CISO Get Hired?
Turning to the current state of affairs, Fitzgerald sought to put the role of the CISO in perspective. A Ponemon survey he referenced found that 52 percent of CISO’s were hired in response to a security incident or breach, 21 percent due to a regulatory or compliance snafu and eight percent in response to liability or exposure.
“So 80 percent hired a CISO because of some problem at the company. That’s why we’re hired,” said Fitzgerald. “Not because they love us.”
In a similar vein he noted that healthcare CIOs were asked in a survey whether they had a CISO and a slim majority, 51.8 percent, said they did—but 21.4 percent said they didn’t want one. Fitzgerald pointed out that Target, the victim of a major security breach, didn’t have a CISO at the time. “Those are the ones who will end up in the other chart. It’s a very good time to be in security,” he said.
But job security is another matter. The average tenure of the CISO has been estimated to last as little as 2.1 years and Fitzgerald says other studies he’s seen show it to be even shorter.
Fitzgerald joked that one reason for the short tenure is that the CISO often ends up being the “Chief Scapegoat Officer” when something goes wrong. But on a more serious note he emphasized that to be effective, a CISO’s knowledge base has to be very broad, and he or she needs to be current on the latest threats.
Relating to the C-Suite
The role of the CISO and certainly the path to effectiveness has also evolved. “We have to recognize that we have a lot of relationships with people outside our organization,” said Fitzgerald.
“Each position is looking for something different, from the CEO, to the CFO and CIO, and we as CISOs also need to work closely with the Privacy Officer,” said Fitzgerald. He also noted that everyone wants to report to the CEO for career advancement, which can be okay, but security pros should be aware that the CEO is typically focused on things like mergers, and the overall environment of the company. “The CEO is the vision guy, he’s not going to care about a lot of details,” said Fitzgerald.
Another important CISO skill is to understand how people work—for example, millennials tend to work very differently than older workers. “By 2020 about half the workforce will be millennials and that’s going to drive a lot of change,” he said. Fitzgerald predicts passwords will be replaced and the mobile phone will play a more central role in end user security as early as 2020.
It’s also important the CISO recognize the inevitable, rather than say everything is too dangerous. For example, Fitzgerald believes Big Data “will lead to big problems” because just like in the old days of the data warehouse, companies are aggregating data that becomes one big target posing a real security risk.
Similarly, he says Bring Your Own Device (BYOD) can be Bring Your Own Disaster for IT departments “but we have to support it.”