First, understand the market conditions for cybersecurity and risk experts, then understand the feasibility.
Spoiler: the ability of any company to acquire an expert at the Executive Officer level, is exceptionally lower than roulette. A Fractional CSO would better serve the business, but I digress.
CSO's usually last 6 to 18 months, while it takes more than a year to find another. Unless this short-term CSO is part of the business operating model (e.g. golden parachute, I know we are not supposed to say this out loud), this is a terrible business decision with negative ROI, and we know replacing an employee costs more than the annual salary.
The true CSO understands the risk built into each business decision, so the impact (+/-) calculation is built into each decision. Truly, the CSO is frequently either a non-security expert tasked with cyber, or a tech geek who is a non-business revenue driving expert who really should be a VP, not an officer. This is why we often see the CISO reporting to anyone except the CEO. Those companies fortunate enough to find the rare, seemingly unicorn, great at both end up paying up to $2M total compensation, so perhaps we need to rethink our approach.
Realign the role of the CISO:
First and foremost, in any business, unilateral understanding and board to executive alignment are critical. Not all boards are active, however the push for more active boards is coming. Not all executives have good communication with their board, and vice versa.
Implementing risk tolerance follows a very similar workflow - after all, cyber is a business risk with narrow to deep technical elements.
Similar to grade school, it is easier to keep an "A" than to earn one - those entrepreneurs, or perhaps those who have experience with mentors, understand this most. In short, cyber risk should be nested into each project regardless of the CSO, essentially being automated. I tell all clients, "I try to automate myself out of my job", which will never happen but is a very efficiency focused mindset (ROI) and there is no negative from this mindset.
Comments