[Posted On Behalf of Rajeev Shukla Chief Products Officer <> Chief Strategy Officer <> Chief Executive Officer Building Next Gen Cyber Security Venture at Stealth Mode ]
CISO is one leadership role, which has gone through more changes on competence, skills and maturity curve than any other leadership role in enterprises. The "Needs and Expectations" from a CISO have changed almost every two years during the last one decade. That is a rate of upgrade, which beats down even the smart phone market. It is a tough and arduous road for people, who are either in role or aspiring to get onto that road.
Combine this with another fact of businesses across the sector. Most companies started becoming serious to CISO and equivalent positions only during the last decade, after, treating cyber security only as compliance devil for more than two decades. That meant, organizations pushed mid level management, into CISO roles, because of two factors, one lack of requisite budgets and two lack of real significance placed on role. The phenomenon led to a situation, where quite many CISOs didn't have the time and opportunity, to gather right experiences, at strategic level. And, still had to fill in positions which demanded strategic capabilities, in tough, challenging and risky circumstances.
The Origin of the Role
When one looks at the origin of Cyber Security, and, how it was regarded, in early days, that explains the limitations and also the stance of many of the CISOs, even today. Cyber Security started out mostly as a hygiene factor, and, then grew further through a push by standards bodies, governmental requirements, into compliance activities. For a long time this remained the focus and push by the people, who were responsible for security in organization.
First Generation - "The Checklisters"
Our first generation CISOs mostly came with both the background and mindset of preparing, maintaining and updating documents which were around hygiene and best practices, as mandated by external bodies, communities & regulation authorities. This generation was mostly focused on repeated attempts at checking the configurations, processes, and, documentations as mandated by their industry, industry associations, and, compliance frameworks. This generation of CISOS did a good job, till Cyber Security needed more that host hardening, network hardening and backups. Some of people who were indoctrinated into cyber security, with the dimension of "Checklist" found a new reality to deal with, in products and technologies, which were needed to be acquired, to go beyond hygiene factors.
First Generation Quadrant Placement
This generation CISOs will have most of their focus on risk management, mostly from audit and compliance point of view. While they will be low on threat understanding and threat focus. Their organization will also be on lower side, on response abilities. Most of first generation CISOs, will have their team cultures built around, "demands of auditors".
Transition into Protective Stance
One of the first set of products, which got beyond host access and network access controls and basic monitoring were mandated by need of a protective stance. A multitude of products, which worked on the premise of blocking threat/bad actors and traffic came into being, and, changed the world of CISOs.
Second Generation - "Lock and Latch"
A generation of CISOs grew in an environment, which focused on acquiring products, which can protect hosts and n/w periphery with a range of incremental options. This generation suddenly found marginal availability of budgets, which company board was willing to spare, if the products were suggested, and, they gave a comfort factor to board. Second generation of CISOs were mostly product buyers, who would be spending a lot of time, evaluating technologies, mostly around protection, to lock and latch their assets from the prying eyes.
Second Generation Quadrant Placement
This generation will largely be product buyers, and, mostly for protection. This will have low focus on risk management and this generation will also be low on threat understanding. Since their attention is on acquiring technologies, which promise to protect, they will be low on both risk and threat understanding.
Protection is "Not Enough"
Next major transition in world of Cyber Security was introduced, when continuous and innovative evolution of threats & communities made it apparent, that best of the protection will not stand a change, in the face of a committed adversary. People realized that, their security has to go beyond protecting digital assets, through blocking, limiting access & simple signature based security measures.
Third Generation - "Detection & Response"
This generation shaped up, when, identifying what is happening in an enterprise digital setup, and, taking measures to detect the potential adversary, and, stopping them in their tracks became critical. A host of new models of security were developed around detection capabilities, and, then equal amount of technologies and tools were adopted for the same. CISOs needed to transition from their tools buying mindset to "Real Time Detection Program" based security.
Third Generation Quadrant Placement
This generation, will be mostly working on real time detection, and, hence will have both operational focus and technology focus on being proactive. This generation CISO will be high on both threat focus/understanding and will also be high on response capabilities. Though, even here, overall defense capability will not be very high.
Threats Evolve Everyday, So Should Security
Another major shift in industry, was caused by realizations that, stopping threats in their tracks using detection models & response mechanisms was not good enough. Cyber Security needed to be more real time than tracking who already has and/or is trying to barge in. Intelligence and dynamic capabilities were two pivots, which defined this new era of security.
Fourth Generation - "Predictive and Preemptive"
CISOs faced a need to shift their entire thought model, and, corresponding strategy and tactical measures. Hiring skilled people on technologies and products was not good enough. Operating best of the protection technologies and detection frameworks was not enough for organizations to maintain their security posture. CISOs needed to think beyond "Truths" from their internal apparatus and internal data. This led to an army of tools, frameworks and programs, which focused on threat intelligence and cyber security competence as primary levers to move beyond detection, and, be preemptive.
Fourth Generation Quadrant Placement
This generation CISO will be high on threat focus, high on response capabilities, high on defense capabilities (through intelligence and proactive frameworks), and will also be in a position to redefine risk framework of the company & create new risk focus. This generation CISOs is difficult to groom and even more difficult to find.
Generational Mismatch
Quite a many times, CISOs or people who have been on that path, have found themselves, in a generational gap, of both skills and mindset. We still see, first generation CISO, struggling with fourth generation requirement. Or, sometimes even worst, fourth generation organization. This generational mismatch is because of rooted beliefs in what works and/or what great security is. We find that, a CISO is still mostly centered around "Checklist", while, second or third generation related concerns have been delegated to layer/s below. This generational mismatch is quite simply a misfit of the person into a role.
Lack of Skills Upgrade
Some CISOs or people on that path, have made the shift, at least in their heads. But their respective organizations have been shy of investing in their capabilities, to support and supplement their mindset shifts, with new generation models & even more, new generation operating frameworks. Lack of attention and lack of budgets to enhance the skills of CISOs across the sectors, has been a major reason, for CISOs inability to transition orgs security, despite change in their own mindsets.
The quadrant model at the top of this article is a simple but effective tool to assess, which generation a CISO belongs to, and, what could be an evolution path for one, who is not yet in fourth quadrant. In today's threat landscape, every CISO needs to be in the fourth quadrant. Without a measured look at, where a CISO is, and, what are the gaps, boards will not really do the justice to demands of cyber security of, today.
It does not have to be a linear progression, from one quadrant to another one. An organization and a CISO can make a roadmap to transition an org, and, himself, from second quadrant to fourth quadrant. But, that can be done only when 3 critical things are in place ...
Realization of current state and need of transition
Organizational and board buy-in for such transformative leap
Resolve to work hard, and, will to deal with rapid skill/expectation changes
Comments