Open Letter to Target CISO CandidatesHint: Define the Role Before it Defines You
According to Gartner, the average tenure of a CISO is four years; according to the Ponemon Institute, it is 2.1 years. By any measure, one would call that a high-risk job. There is hardly time to fail, much less enough to succeed. Of late, perhaps one of the riskiest jobs in the world is being the CISO at Target. Anyone qualified to do the job is, presumably, too smart to take it.
As a group, CISOs live on a knife's edge and do not sleep very well. They know that a breach is inevitable. They know that if one should occur on their watch, they will be "thrown under the bus" or left "twisting in the wind." Yet they are staff; they are not line executives. They do not control the assets to be protected or the resources required to protect them. They cannot hire or fire the managers responsible for saying who can use the intellectual assets or specifying how they are to be handled. They do not design, choose or even specify the networks, systems or applications. Many see the job as "the executive designated to be fired."
As a group, CISOs live on a knife's edge and do not sleep very well. They know that a breach is inevitable.
After Target's breach, the CEO did the predictable thing, accepting the CIO's resignation and pledging to revamp security. But could the CIO (or now his own successor) fill the vacancy he created? Would you want to work for him in that job? Would you trust him to support you? Do you want such a high-risk job? Does anyone? I am going to presume to give some advice to anyone that is recruited for the job.
I got a call from a colleague, a senior vice president of security and compliance at one of those Charlotte banks. She wanted to know who my candidate would be for a vice president of information security reporting to her. I gave her the name of Peter Browne. Peter had been the first manager of computer security at the General Electric Information Systems Company. He had gone on to run his own risk management software company and then to another first as director of information security at Motorola.
Peter taught me a very valuable lesson about taking high-risk jobs. He said: "Negotiate your success going in," the implication being that after you are in the job, it may be too late. Of course, knowing what success looks like is a qualification for the job. If one does not know going in, it may well be too late to learn it on the job. Said another way, "Articulate what you can do for the hiring executive." Peter made their mouths water.
Peter said, "Agree with the hiring executive as to what success looks like." What are the metrics? No agreement, walk away. If one is too desperate for the job to walk away, one is negotiating from weakness and setting oneself up to fail.
Peter knew what success would cost. He knew the budget and head count that he needed to succeed. He asked for those going in. He knew what authority he would need to succeed, where he needed to report, who his peers would be, what his title had to be, and what support and cooperation he was entitled to expect of his management and peers. In the case of the bank, he said that he would have to be a senior vice president, peer with the executive who was interviewing him, and report to the same executive as she did. He got another first.
The Inevitable Breach
Clearly, success is not simply avoiding any breach. For Target, and any similar-sized enterprise, "breached" may be a permanent condition. One aerospace security executive told his board that their network was breached and that he could not promise to fix it. Even the National Security Agency now operates on the assumption that there are compromised systems on their network.
Any CISO who has not told his board that a breach is inevitable will inevitably lose his job when it happens. Therefore, one metric is the rate of breaches, or mean time to the next breach. More important metrics are cost of breaches and mean time to detection and mitigation. The Verizon Data Breach Investigations Report suggests that these numbers are outrageously high, in large part because we are not measuring them.
Peter never bothered to negotiate salary or perks. Like most good executives, he understood that if one ensures success, those things will take care of themselves. He also understood that some executives would be threatened by this style of negotiating. Some would want to be promised no breaches. He did not want to work for one of those anyway.
Emulating Peter will not turn the Target CISO position into a low-risk job, but it will at least give one a crack at success.
William Hugh Murray is a management consultant and trainer in information assurance specializing in policy, governance and applications. He is Certified Information Security Professional and chairman of the governance and professional practices committees of (ISC)Â², the certifying body. He has more than 50 years experience in information technology and more than 40 years in security.