Page 106 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 106
For the most part, this is how CISOs function. We are brought information. We have situations that require
our attention. We must determine how to balance limited resources. We must choose how we manage
different people. We must choose how we structure our teams. We must prioritize different functions. To
do so, we again gather data, take advice, and then make decisions. This is what a CISO does.
A CISO is also in the position where they have to present information to organization executives and
boards. Their effectiveness in doing so is mostly believed to be tied to their communications skills, which
go above and beyond a typical managerial function. It is largely for this reason why many CISOs tend to
be external hires, and not as the result of an internal promotion.
Hiring teams want someone with executive presence and communications skills with a proven track
record in working with executives. Even a Deputy CISO inside an organization is rarely looked at for
promotion to the CISO role. The reason is that the Deputy CISO has not demonstrated the ability to work
with the executives and the board, as an outsider has. They are looked at as probably a competent
manager, but they have not proven themselves as a competent organizational officer.
Recently one of my friends made the leap after being a Deputy CISO of a large financial organization to
that of a CISO. He did so by essentially putting together a business plan for the organization’s
cybersecurity department. Specifically, he analyzed the organization’s security posture, as available from
open-source information, highlighted how the organization was deficient compared to their peers, and
created a plan as to how he would lead the organization to achieve parity. He also highlighted the cost
of the organization’s deficiencies.
Even though the organization might have initially preferred a proven CISO with a proven gut, my friend
demonstrated the ability to apply tangible metrics to the role.
Put another way, the seasoned gut instinct of a CISO highlights their craft as something closer to art.
They look at situations, look at the numbers, interact with people, and they make reasonable decisions
based upon years of experience. And for the most part, their decisions are reasonable and the best to
be made.
However, these decisions can be frequently wrong, or possibly not the optimal decisions. My friend,
however, applied science. He applied data and analyzed the data to make a plan based upon that
analysis. Even though my friend was not a proven artist, he demonstrated himself as a scientist—and
executives and boards do like scientists.
Cybersecurity is one of the few corporate disciplines that has not embraced what I will broadly call data
science. For example, if a COO wants to retool a factory, they use a variety of mathematical formulas to
determine whether or not it makes sense, when there will be a break-even point, etc. They use
mathematical models to calculate staffing. Likewise, a CFO will use a variety of mathematical models for
just about any decision to be made.
Cybersecurity programs are just beginning to gather metrics to assist in gut-based decision making
processes. The metrics can be straightforward, or they can be residual measurements of other activities.
For example, I can look at a phishing simulation and the resulting click rates in the simulations, but does
that indicate the results of click rates on actual phishing messages?
106
