CISO evolution - around the Hash Table.
Rick Howard: If you remember from the previous episode, I explained that CISOs, CSOs and most CIOs are not corporate officers similar to the CFO, the CTO or the chief legal officer. The titles for the CSO and CISO give the appearance of equal weight, but legally, the positions are no more important than any other senior employee in the organization. The question that I have is, does it matter? Does it matter that the organization's board did not select the CSO or the CISO as a corporate officer? For this episode, I threw that question down on the CyberWire's Hash Table to see what our experts thought. And as usual, after the discussion, I had to adjust my thinking.
Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis.
Rick Howard: Let's start with some stats. Looking at three different surveys conducted last year, one from the Ponemon Institute, one from CSO Online and one from the CEO Forum out of India, about 14% of the CSOs and CISOs taking the surveys work with the CEO. About 43% work for the CIO. Twenty-six percent work for the chief risk officer or chief legal officer. And the last 16% work for other non C-suite bosses. So the bulk of us still work for the CIO, but it looks like that stat is trending down. Not too long ago, some surveys said that it was as high as 75%. I was talking to Gary McAlum about this. He is USAA's chief security officer. And yes, he is both an old friend of mine and an old military buddy, or else, you know, he wouldn't be on the Hash Table. And I asked him how USAA is organized.
Gary Mcalum: All things security are under what we call the Enterprise Security Group, which is led by the chief security officer. So within that group, within that department, we have information security, privacy, business continuation, physical security and corporate investigations. And we are a peer organization of the CIO and the IT organization and some other shared services. But we all report to - all these shared services report to the chief administrative officer, which is a direct report to the CEO.
Rick Howard: Gary is the CSO. And his scope of responsibility is typical of many other CSOs and much wider than what the responsibilities are for typical CISOs. Not always, but CISOs generally stay in the digital security lane, while the CSO has responsibility across other higher-order business functions. This is a bit confusing because the industry, myself included, tends to use these two titles interchangeably. But as the roles mature in the future, I believe they will become more and more distinguishable from each other. And in Gary's case, the CISO or the digital security leader works for him. But since Gary and the CIO are peers, they both recognize that their two organizations must be in sync with each other.
Gary Mcalum: I go back to partnership and collaboration. At the end of the day, there is - you know, there's singular accountability, but there's shared responsibility. You know, I would tell you at USAA, you know, the relationship is healthy between the CIO and the security organization. You know, we're mutually dependent on each other, right? So in many cases, we create work for the CIO organization - right? - through policy and through priorities. So, for example, as, you know, vulnerabilities get identified and patches roll out, you know, we'll oftentimes - to find the priority. They have to execute. And so we have to work together because we could come up with a bunch of unrealistic priorities and drive things, you know, and measure them to death and not necessarily achieve the result that we want. So, you know, there has to be, I think, a partnership and a collaborative approach. But at the end of the day, there is a certain level of assurance and enforcement that the security team has, you know, that role they have to play.
Rick Howard: For the past several years now, I have been saying that cyber risk is no different than any other risk that the business leaders have to deal with, that the network defender community hurt ourselves in the early days trying to make it so. Doing that gave us an excuse not to learn the language of business and therefore help to move us down the food chain and away from the C-suite. I mentioned that to Suzanne Vautrinot, Zan to her friends, a retired major general of the U.S. Air Force and director of multiple public and private boards like Wells Fargo, Battelle and City of Hope. This is her first appearance at the Hash Table. And I'm so glad that as a board member, she could lend her perspective. Here's Zan.
Suzanne Vautrinot: It's not just another business risk. Since most businesses are absolutely dependent on cyber, on the digital world, it is absolutely foundational to everything that the business does. So it's in the highest category of risk. It's not the only one at that level of concern, but it is certainly at that top tier. And it's not because it's sexy and interesting, which I truly believe it is.
Gary Mcalum: Yes.
Suzanne Vautrinot: It's because it is the underpinning of success in the business and it's the underpinning of opportunity for the future of your business, therefore highest here.
Rick Howard: So cyber risk is not special because it is somehow a magical kind of risk unlike any others and requires a unique treatment. Instead, cyber risk is special because it cuts across the entire business and therefore requires the attention of senior leadership. Gary thinks the same way.
Gary Mcalum: Yeah, I think this risk is not just another risk. It's one of those risks that has the ability to span the different types of risk. So, you know, within our risk taxonomy, you know, cybersecurity is considered an operational risk, but it's also recognized as a risk that can span the others - financial, reputation, strategic, compliance. So it's one of those crosscutting risks that, you know, is more than just a stovepipe risk area unto itself. Information security, cybersecurity is one of those areas - right? - that does have an enterprise view, right? And so there is a certain level of assurance that they have to provide across the company. And I do think having that as a separate function or a separate area aside from the CIO - I think there's advantages to that.
Rick Howard: If it's so important then, why doesn't the board assign the CSO as a corporate officer? According to Gary, this might help, but it's not the most important thing. The corporate officer label is more of a legal category and doesn't really help the CSO or the rest of the company leadership work to reduce the potential risk due to cyber.
Gary Mcalum: It can't hurt. But again, you could be designating that, and I guess it would help a little bit, but it's - more important is what is the tone at the top, right? What level of support does that person, that position have regardless of what they're designated as, right? And you could even make, you know, an argument that it also depends on where they're placed in the organization. If they're very, you know, multiple levels down, do they have the level of visibility they need on this issue? You know, does that indicate the level of support they have or they don't have from the company? So I think it's one variable among several. And I don't think he could do anything but help, but I don't think it's a critical success factor necessarily.
Rick Howard: According to Gary, it is much more important who the CSO works for rather than receiving a legal title like corporate officer. Zan agrees. She says from the board perspective, it is much more important to have the CSO part of the C-suite. Now, according to the website Investopedia, quote, "C-suite or C-level is widely used vernacular describing a cluster of a corporation's most important senior executives," unquote.
Suzanne Vautrinot: And if they talk directly to the CEO and if they talk to the board as a member of the C-suite, that's what's important in executing their duties. I think the question is more, what level do they need to be at? What seat do they need to have at the table? And what's the gravitas and what's the seniority of that seat?
Rick Howard: But even Zan says that this is not yet common in the industry.
Suzanne Vautrinot: We - on the board, we generally say C C-suite, and - because it is direct report to the CEO, which is the whole point. And I see it occasionally not with the CISO but occasionally with a CSO or a chief technology officer that has the CISO responsibilities as part of that portfolio. So it's not prevalent, but it is occasional. And I think the difference is the skill set behind it.
Rick Howard: What Zan is saying is that even though this is not commonplace yet, we are starting to see it emerge as organizations mature in their thinking about cybersecurity and as CSOs mature out of a strictly CISO mindset, not just thinking about digital security but thinking about security in context of the entire business.
Suzanne Vautrinot: Let's talk about the matrix of skills that makes someone ready to be a C-suite level. So it's the acumen that says you understand cyber. You understand cybersecurity. You understand the integration of digital into the business areas. You understand the implications for P&L and resiliency, business continuity. And you have that gravitas to be able to work across all elements of the business to bring that forward and to make that something that is important to all. And so that gravitas sometimes comes with time and sometimes comes with additional experiences that you can then leverage regardless of age - but certainly a bevy of experiences.
Rick Howard: So when exactly does an organization need a CSO in the C-suite?
Suzanne Vautrinot: I think in global companies and in large, particularly Fortune 500-type companies, when there is a foundation that is digital, either in servicing the customer or in performing the manufacturing or doing the business competency, you find that the technology base and securing that technology base to include all things digital is critical. And it's critical to the CEO, to the board. And therefore, that position is elevated. There is a maturity of the company in asking that properly, but there's also a self-awareness, a self-assessment that says we as a corporation are going to make decisions. And how are we going to take this into account? And ignoring it does not take it into account. So as you're asking those questions or as the board is asking questions of the leadership team, being able to address from a risk assessment and an opportunity assessment standpoint at that level is absolutely critical. And as long as the reporting chain allows that assessment and allows that conversation - that it's mature.
Rick Howard: I've been doing this kind of CSO job for the past 10 years or so. The board meeting - and I'm using air quotes here - has always been this kind of mysterious and sacred place. In the early part of my career, I was always trying to get into the board meeting so that I could tell them what was going on. Once I started attending, the question was, what the hell do these people want to hear in regards to cybersecurity. Since I had Zan at the Hash Table, I wanted to get her take. Her first thought was that you probably shouldn't come into the board meeting cold. It might be a good idea to talk to each individual board member and get their sense on what is important for their business.
Suzanne Vautrinot: In a perfect world, you don't have to ask them because you've had the conversations up front, and they know what you're concerned about.
Rick Howard: In those conversations, you want to convey the current state of cyber risk in the organization.
Suzanne Vautrinot: The first step is, how hard is your job relative to the foundation, to the enterprise that we have as an organization? Is this part of the normal operation, and you were able to build in visibility, protection, resiliency? Or is our foundation or our enterprise so challenging that the best you could do is safety nets and water buckets for the leaks? So how hard is your job relative to the foundation? - is important.
Rick Howard: The next thing that you want to make sure the board members understand is that you are totally aware of the current and future plans of the business and that you are there to facilitate them in the most secure manner possible.
Suzanne Vautrinot: Then the next question is, how in tune are you to the decisions that are being made about our future? So as we take advantage of opportunities as a business, how much are you part of the conversation about the physical expansion or the enterprise expansion or cloud opportunities or third-party opportunities? Are you part of that conversation?
Rick Howard: And finally, you want to let them know the most likely cyber issues that could materially affect the business.
Suzanne Vautrinot: And what kinds of vectors are likely to come after us either because of our industry or because of the way that we're structured relative to that very first question - are we an easy target or a hard target? And can you watch the changes in that and advise us on what we ought to be doing? So it's really - it's in context of the company, where the company is going and who might be after the company and how you have to protect it. And you kind of want a conversation in all those areas.
Rick Howard: Which brings us to the obvious question regarding, what metrics do board members need to see in order for them to understand whether or not the CSO is doing his or her job?
Suzanne Vautrinot: I like any metric where the person providing it could tell me how they're going to use that information. What are they going to do differently as a result of of that number or that assessment? And if they can't tell me that, then it's just a number.
Rick Howard: It's just a number. That's right. If you have been listening to this podcast for a while, you know that I think that the network defender's first principle is to reduce the probability of material impact due to some external event, either physical or digital. I asked Zan if she thought that was the correct way to think about it. She agreed but thought that if your metric for success is binary, meaning that you either prevented all the attacks or you didn't, then you are probably not going to be successful.
Suzanne Vautrinot: I don't believe for a minute that you can be completely protected. And if anyone thinks the CISO's job is to 100% protect them in all instances, I think you're doomed to failure.
Rick Howard: To that end, every leadership team has their own risk tolerance. For some, it's really high. For others, it's very low. In all cases, it's cultivated over years of experience in their own careers and blended together with the company's culture. Whatever the risk is, the CSO must spend some time understanding the tolerance of both the boards and C-suite members.
Suzanne Vautrinot: It doesn't mean that you have to mitigate everything. It means that I have a level of tolerance, and I can either - I can protect after that level of tolerance. So, for example, if I have a level of tolerance to my infrastructure, then I should have resilience and business continuity that protects me beyond that level of tolerance. And if it's a level of tolerance to customer access, then I should have a resiliency or a second mode of getting to those customers or servicing based on that tolerance.
Rick Howard: The role of the CISO and the CSO has changed quite a bit since the early days. It might be too soon to say, but it looks like corporate leadership is slowly coming around to the idea that there might be room at the C-suite table for at least the CSO in the future. I asked Gary that, 10 years from now, long after he has hung up his USAA spurs, if some Fortune 500 company could entice him back into another high-pressure CSO job if he had to work for the CIO.
Gary Mcalum: You know, that's interesting that you would ask me that. And I think the answer would be it depends, right? I've been doing it like this for so long that I've bought into the value of it. And so, you know, it would depend a lot on the tone at the top. It would depend on a lot of things. I would not just take the job without really looking at this closely and understanding the relationship. It can work. So I would certainly consider it. But I'd also want to understand what is the culture of the company? How does this CIO relationship - how has it worked in the past, right? What's important to this CIO, right? How are they measuring success in the security function? And what is the relationship between the CISO and the board and the senior leadership team? If everything goes through the CIO, I think my gut would tell me, you know, to shy away from it.
Rick Howard: I asked Zan a similar question. If in 10 years, some big company enticed her into another board seat, what would she expect to find in that role? She said that she would be looking for the elevation of the network defenders of the world to be part of the C-suite but in a way that is conducive to the overall business strategy.
Suzanne Vautrinot: I think it would be perfect if we raised them so that the CISO became a chief risk officer or chief security officer, security being security for the entire organization, from a physical, as well as a digital standpoint. And then that individual. Is now sitting at the C-suite, reporting directly to the CEO as either the chief risk officer with that set of credentials or the chief technology officer with that set of credentials but driving decisions about everything in the institution from that set of experiences. And I just don't think we've grown enough folks that well. And, sometimes, we rabbit hole them into the technology side instead of welcoming them into the full business side and making them responsible based on all of those core competencies. I think it's going to be absolutely essential.
Rick Howard: As usual, with these Hash Table discussions, I learned a few things that I didn't know before. The first is that being a corporate officer is probably not the most important thing. It is a legal distinction that won't help you get your job done. It might give you a little gravitas, but it's not essential. The second is that it is way more important for the CSO to be part of the C-suite. Either you work for the CEO or one of the other C-suite executives. The important thing is that you are seated at the C-suite table as a valued contributor. The third is that I have to adjust my view on cyber risk not being special. It's not special because we have to deal with it in some unique way different from all other business risks. But it is special in that it cuts across the entire business and thus warrants an executive at the C-suite level. I'm with Gary. Ten years down the road, if anybody is foolish enough to offer me another CSO job, if it involved me working for the CIO, I think I'd have to pass.
Rick Howard: And that's a wrap. If you agreed or disagreed with anything I have said about where the CSO or the CISO should fit into the organization, hit me up on LinkedIn, and we can continue the conversation there. Next week, we will be doing the season three wrap-up summary as we start to head into the holidays. So you don't want to miss that. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions. And the mix of the episode and the remix of the theme song was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.