I’ve been in the corporate chief information security officer’s (CISO) executive chair long enough to realize that the traditional hierarchical model of information security reporting up through the technology department has a fatal flaw. This hazard is directly associated with the inherent conflict of duties that exists by the very nature of the position.
For those who are not clear on what the CISO does for a company, the CISO is the lead enforcer, investigator, evangelist, architect and leader for information security, IT risk, governance, privacy, compliance and cyberspace law support among other related duties. Essentially the CISO is in the business of law enforcement.
Common sense should tell us that when you put a person into a law enforcement position and embed them into the very same organizational structure they are obligated to investigate, scrutinize and otherwise enforce rules within, inevitably and in my personal experience, ridiculously frequent, conflict arises. The conflict I am referring to is not trivial in nature. I’m not referring to personality conflicts or management style conflicts. No, I’m talking about discovering serious misconduct, fraud, criminal actions and other nasty issues that immediately put the CISO into one of these “Crap … not again” moments when you are in a position where you both compromise your ethics and collude with the enemy or you retain your honor and due to the reporting structure, not your job.
If we compare the CISO to an officer of the law, the CISO would be effectively an undercover cop. The problem with undercover police work is when the people you investigate find out that you know they are criminals, they invariably try to kill the undercover police officer.
I’m very good at what I do and I have this talent for finding where the corporate bodies are buried which is both a blessing and a curse. Believe me, I’d love to have career tranquility but it seems that I am destined to keep my battle armor on for as long as I continue my career progression. It’s my job to enforce the law and that is exactly what I’m going to do.
The problem that every security practitioner faces, especially at the top of the company ladder when we become the CISO is that we are being positioned incorrectly in the corporate structure putting us in harm’s way. This dangerous tour of duty is directly related to the opposing force we are thrust into regardless of our personality, tolerance for conflict or resolve.
I’m convinced that the only remedy for the CISO’s career plight is to either reposition the CISO organization out of technology and within the legal department, finance department or operations department. There is another option and that is for the CISO to get down into the mud with the other scoundrels and join the club. The latter will certainly catch up to all of them eventually and I’d rather be briefly unemployed than in jail any day.
This CISO sleeps well at night knowing that no matter the adversity, I’ve retained my honor and integrity along the way.