The first CISO was appointed by Citigroup, then known as Citicorp, in 1994 following a series of attacks by Russian hackers. Globally, there are an estimated 32,000 CISOs. Only 5% of CISOs report directly to the CEO. In 2022, this was still 8%.
The average age of a CISO is 55 years. Despite this, the experience in the CISO role itself is relatively short. Forty percent indicate having only 0 to 2 years of experience, and another 40% have 3 to 5 years.
This may come as a shock to you. In my view, many CISOs are redundant. They are unable to ensure organisations use strong passwords, patch systems in time, or prevent people from falling for phishing emails. CISOs are part of the problem, not the solution. Moreover, most tasks of a CISO can be replaced by AI.
What does a CISO actually do? You know better than I do. I looked it up. Under the inspiring leadership of Fred van Noord, PvIB published ‘Functions in Information Security’ some time ago. One important area of responsibility for a CISO is policymaking. I asked ChatGPT to write a formal and complex security policy for a cardboard manufacturer:
Figure 1: Information Security Policy (translation below):
|
Security Policy for [Name of Cardboard Manufacturer] Introduction This security policy has been created to protect the corporate assets of [Name of Cardboard Manufacturer] against internal and external threats. The goal of this policy is to guarantee a safe working environment, protect sensitive corporate information, and ensure the integrity of production processes. This policy applies to all employees, contractors, suppliers, and other third parties involved in the activities of [Name of Cardboard Manufacturer]. Objectives Protection of corporate assets, including physical production facilities and intellectual property.Minimisation of risks such as data loss, unauthorised access, sabotage, and other security incidents.Compliance with applicable laws and regulations regarding data protection, security standards, and business continuity.Promotion of security awareness and the creation of a culture of accountability among all employees. |
Within seconds, I had a document that many CISOs would envy. And I wasn’t even using the paid version. All jokes aside, there is a real problem:
Most CISOs don’t have a team, do it on the side, and have no budget. They are lone wolves who, from the second line and their ivory towers, muddle along. The CISO tells the first line what to do. Unfortunately, the first line often doesn’t listen. And when the first line has questions, the CISO would prefer to take the initiative and responsibility away from those it actually belongs to.
I don’t envy you CISOs. Except perhaps for your salary. The average salary of a CISO in the US is nearly $250,000 a year. Money doesn’t buy happiness.
A CISO is not only a lone wolf. A CISO often lacks a career path or prospects. This frequently leads to disappointment and problems. Before you know it, you’ll end up sidelined, possibly with burnout, as was warned at the One Conference in October.
CISOs make life hard for themselves. They prefer to create their own world with their own jargon. After all, knowledge is power. What other profession has its own dictionary? The cybersecurity dictionary explains around 650 cybersecurity terms in plain language. Some notable examples: air gap, botnet, catfishing, false negative, red team, and so on. Terms that the rest of the organisation loves to mock with a round of buzzword bingo. With ChatGPT-like solutions, the CISO doesn’t even need to explain these terms anymore.
Then there’s the ISMS… An ISMS, or Information Security Management System, as you know, is a structured framework of policies, processes, procedures, and technologies used to manage and improve information security within an organisation. The goal of an ISMS is to ensure the confidentiality, integrity, and availability of information by effectively identifying, assessing, and managing risks. Thanks, ChatGPT. Why do CISOs create their own system? Why isn’t security a part of the regular planning and control cycle of an organisation? This encourages CISOs to keep muddling along in the second line while the first line shirks its responsibilities.
The CISO as we know it is redundant. As my children say, they are NPCs: Non-Playing Characters. By this, I mean the CISO is a role that is not part of the organisation, stands alone, and is not taken seriously by the organisation. It is no coincidence that, for example, NIS2 does not require organisations to have a CISO role. Things need to change. How can we ensure that the first line—the business—takes responsibility? Is a different approach the solution?
There are various scientific theories that can help us. For example, Susan Michie’s Behaviour Change Wheel or Icek Aizen’s Theory of Planned Behaviour. The essence is that the CISO needs to understand human behaviour.
“Human behaviour is not the weakest link in cybersecurity; it is our understanding of human behaviour.”
Figure 2: Behaviour Change Wheel by Susan Michie
A CISO also needs to learn to set boundaries: don’t take over the first line’s role. And don’t set up a standalone system. A CISO should actually be a temporary role—a catalyst. Someone who raises awareness, coaches management, and integrates security into processes.
However, more is needed. Personally, I am a big proponent of the inoculation theory. Currently, we try to increase people’s resilience mainly through (online) training or games. This hardly works. Everyone knows you shouldn’t drive over 100 km/h on the motorway, yet many people still do.
The inoculation theory suggests that exposing a person to a weakened form of material that threatens their attitude beforehand will make that person more resistant to such threats, as long as the inoculated material is not strong enough to overcome their defences. A CISO should, as it were, first inoculate themselves and then all employees with a healthy dose of cybercrime or other cyber issues. Employees would take on the role of a cybercriminal and learn to, for instance, spread ransomware and commit CEO fraud through weak passwords, software vulnerabilities, and phishing. Hacksclusive, together with DOL Events, developed the game ‘Mission is Possible’ for this.
In addition, the CISO should make more use of the knowledge and experience of hackers. Alexander Klöpping wrote about it in 2014: hackers are the new heroes. Chris van ’t Hof describes some of these heroes in his book ‘Helping Hackers.’ My personal hero is 0xDUDE. Perhaps it has to do with his birth year, but 0xDUDE was one of the grumpy old hackers who twice hacked Trump’s Twitter account. Do you remember how? 0xDUDE is the founder of DIVD and has reported more than 10,000 (!) vulnerabilities in his career. CISOs need to, like hackers, expect the unexpected.
Erik Rutkens