I read an article today that really hit home and prompted to me hit the blog post. The article was in Security Week titled "How a CISO Can Be a Change Agent Within a Company" written by Mark Hatton.v It's great article, and very true--Mark made some great points.
One statistic in the article made me stop and think, "the average tenure of a CISO is 22 months."v There was no support for this statistic.v I "googled" a bit to see if I could find some support for the metric and found a few rough numbers but nothing concrete.v The interesting thing about this number is that I believe the number is true without the statistic support I was looking for.v I've been a CISO for a large international company and there was times it was miserable, I'll spare the dirty details.v Based on my personal experience 22 months feels about right.
My lesson learned is this, in order for security to thrive the C(I)SO needs to be the best sales person in the company and this sales job is the most important sales position for shareholder value.v As Mark Hatton mentions in his article about a positive perception, a C(I)SO job is about the popularity of the person holding the role in that they need to be a respected advisor and be able to talk freely about risk without being run out of the conference roomvwith torches and pitch forks by C-Level staff.v In sales it's a hard thing to establish trust and rapport, then you need to either create a need for your product or convince your executive team they need the product you are selling, then you need to close the sale.v Once all this is done, you need to rinse and repeat.
Here's the realism.v If the C(I)SO fails in their sales effort and the need was valid (i.e. a data breach follows), the actual loss is MUCH more severe than the lost opportunity or the incremental cents per share add to the bottom line--the entire revenue stream is now at risk and the entire per share value is at risk OR future earnings might be at risk is Intellectual Property is lost.v C(I)SO's (and security teams) help protect the continuity of the business revenue stream and keep customers coming back to your company versus the competitor.v The C(I)SO job is important, and intelligently applying security controls and architecting secure solutions that help your business innovate and enable your business for future growth.
Security teams can enable your business.v No one in the business is better positioned than a Security team to develop and create information platforms for business innovation while reducing risk of data or financial loss. C(I)SO's need to create a mutually beneficial value proposition for their companies.
In the words of Zig Ziglar "You will get all you want in life, if you help enough other people get what they want.”
