The Sacrificial CISO heralds a new age for cybersecurity
Will we see a rise in companies that throw their CISO to the wolves?
There are many different types of CISO, with many different backgrounds and reporting in to many different business lines. One thing they have in common is their wide, strategic view they of the business - or at least, it should be.
That's not always the case, said Ian Hill, Director of Information & Cybersecurity at Upp, in his keynote speech at this week's Cybersecurity Festival.
"Having someone at the top who doesn't get lost in the weeds and has a more strategic view is really important," he told the audience. "But sometimes you get people put into the role just so they can fill the title."
Hill calls these people ‘Token CISOs': A leader "assigned to tick a box from a compliance or PR perspective. They are often not senior enough to make strategic decisions or to have visibility of the wider business risk profile."
The Token CISO doesn't, thankfully, represent the majority of security leaders. Hill defined other types: Transformational, Tactical, Compliance Guru and more. These are all important archetypes, but we're also seeing the rise - very limited in scope for now - of one more: the Sacrificial CISO, someone who "carries the can" for a cyber breach.
The most obvious example of the Sacrificial CISO is Uber's Joe Sullivan, who now faces jail time for his role in concealing a 2016 cyber-attack against the ride-hailing firm.
"This shows we're getting to a place where the role of CISO is [personally] accountable and might be why we're seeing an increase in taking on third parties CISOs - as a risk mitigation strategy. It's far easier to blame a consultant for a lapse in judgement than a tenured executive."
Hill urged the audience - who were largely senior security leaders - "to be open and transparent. If you're not, it will come out and you will face the rap."
Changing attack landscape requires change in security
As any IT leader can attest, cyber-attacks are on the rise, with incidents increasing an average of 30% year-on-year. That means we can't continue to rely on traditional approaches like ‘people, process and technology'. Although still relevant, it looks increasingly outdated as attacks rise and teams shrink (or at least, fail to grow).
The modern CISO should instead look at a federated response known as Progressive Cyber, emphasising that cyber-security is not only the domain of the IT department.
"Make it everyone's problem," said Hill, "and outsource the hard bits."
Finally, he advised everyone to keep the following in mind when asking for increased budget - especially in this time of economic uncertainty:
"The CISO's role is to bring value by protecting value. Often when a CISO is asking for budget, business leaders will ask what value it will bring to the business - but it's not there to bring value, it's there to protect it."