Devo recently brought together an esteemed panel of modern CISOs to discuss the issues that matter most to them and their peers. Included in the panel were:
- Stephen Ward, managing director at venture firm Insight Partners and previously a longtime CISO
- Kayla Williams, CISO at Devo
- Carraig Stanwyck, CISO at Avnet
- Jim Doggett, CISO at Semperis
- Chris Hickman, CSO at Keyfactor
It was a lively discussion that covered important topics around the evolution of one of the top security executive roles. Here are five of the key takeaways that bubbled up from the hour-long CISO panel.
1. CISO As a Professional Scapegoat Gets a Darker Meaning
In the last decade, most CISOs have come to terms with the fact that one of the most common unspoken roles they play is that of professional scapegoat. “It’s almost an expected attribute,” explained Stanwyck on the post-breach script that inevitably plays out as you are blamed, fired, “and then you have a job the next week playing that same role (somewhere else).”
But in this new era of regulatory action aimed directly against security executives, and CISOs facing potential jail time in cases like those against former CISOs at Uber and SolarWinds, playing that scapegoat role has taken a much darker turn. “It doesn’t bother me getting fired—that’s OK. What bothers me is going to jail,” said Doggett.
The point that the panelists were driving toward is that CISOs need to take measures to cover their own personal liability—with things like insurance, indemnification, and solid documentation of risk acceptance.
2. Documentation Is More Important Than Ever
Panelists dug deeper into the documentation discussion, explaining that documentation of risk and keeping track of risk acceptance by the business has always been a part of the CISO job. It’s just that the stakes are higher now.
As one of a couple of “reformed auditors” on the panel who moved into the CISO role, Williams said that documentation was second nature for her. It was always going to be a priority regardless of the SEC regulations or recent court cases. It’s a key way for CISOs to protect themselves and their organization. “If it’s not written down, it didn’t happen,” she said. “And I try to be as thorough and detailed as I possibly can while bringing things to management’s attention.”
3. All CISOs Are Risk Officers
Woven into the discussion of documentation was the broader topic of the CISO’s role in risk management. As the CISO role evolves at most companies, one of the ongoing topics of debate is whether the position is a cybersecurity or risk management role. Doggett argued that to one degree or another, all CISOs have been risk officers, too, because there’s no such thing as an unlimited security budget or unlimited time to make fixes, so there’s always been an element of prioritization in the job.
But at the same time, many CISOs have found themselves stuck in tactical protector roles—both because that’s the domain they were comfortable operating within and because the organization didn’t perceive a need for more. The situation is improving, though. “I used to always tell folks, I can manage outrage up or risk down. You tell me,” said Ward. “I feel like security in the beginning got too comfortable with managing outrage up and now we’re learning how to manage risk—not to zero, but to something that’s more manageable.”
What’s especially changing now is that CISOs who have been previously hemmed into that protector role rather than a risk advisory role can actually take advantage of new regulations from the SEC and elsewhere to change their level of influence. “To me, it’s an opportunity—how can you elevate yourself to be part of that C-suite and to directly converse more with the board and gain their trust,” Doggett said. “And it does require us to change our technique, I think a little bit. Historically, what we did was preach fear and doom. Now, you’ve got to talk business, (and say): ‘You guys can make the decision, but here are the risks in terms of what can happen.'”
4. Smart CISOs Are Positioning Themselves As Business Executives
Part of that shift to a risk advisor role is recognizing that most businesses need CISOs to emphasize their business acumen more than their technical know-how. “That’s the trajectory we’re seeing,” Stanwyck said. “Instead of being a security executive, it’s time to be a business executive.”
Doggett agreed, stating that his last two roles were not technical at all. “They were political. Political and sales, that’s basically what I spent all my time doing,” he said.
Hickman concurred as well, explaining that part of it is CISOs finally learning to “speak business,” which revolves around revenue and driving business value. “We used to come in a couple of years ago and go, ‘Oh, this technology and that technology and plug this in and here’s a diagram that shows everything. I need about a half million dollars budget,'” he said, explaining that this would just get business stakeholders begging for a translation of that ask into business value. “I do think that is starting to shift, at least I’m noticing in my conversations with people and in their daily lives that that shift is starting to take place so that they are having more amicable conversations that end up in the same place, but with a different realization of value.”
5. Some CISOs Are Moving Away From “Empire Building”
One other topic of discussion, at both the panel and the rest of the conference, was how security leadership has had to change strategies in order to shift security culture within organizations. The goal for many is to help everyone—from marketing to legal to product managers—to recognize that security is everyone’s responsibility. But if that is true, CISOs have to look closely at how they operate when it comes to budgeting and managing security duties daily.
“One of the challenges we’ve had is a lot of CISOs have an empire-building mentality where they try to bring all the security stuff in (to their department) and they try to capture the budget for all of that,” said Stanwyck. “But when you do that, you effectively, in my opinion, tell the business, it’s not their responsibility.” Those are just some of the biggest takeaways from Devo’s CISO panel. To listen to the whole session, check out the recording here.