really prevents one, the board shrugs,” Levine says. CISOs “kind of normalize the idea that the company is constantly under attack. That is certainly true, but it makes it very difficult for the board to get worked up over preventing a single attack.” Moreover, this issue begs the question: Why should a security leader need to experience a major cyber incident to earn business colleagues’ respect?Jeff Pollard, VP and principal analyst at Forrester, says this enterprise perception problem is “just part of human nature. If we don’t see the bad thing happening, we don’t appreciate all of the things that were done to prevent that bad thing from happening.”Of course, if an attack turns into an incident and defense goes poorly, “it can easily turn from a hero moment to a scapegoat moment,” Pollard says. Oberlaender, who now works as a cybersecurity consultant, is among those who believe hard-earned experience should be rewarded, but that’s not what he’s seeing in the market today.Historically, “a smart company would not hire a greenhorn into the CISO seat, but a battle-tested, really and truly experienced CISO with multiple decades of experience,” Oberlaender says. “But unfortunately, in the current business climate, the opposite is happening. Companies hire cheap, inexperienced, unqualified, non-knowledgeable, and often so-called virtual CISOs for a fraction of the salary and then wonder why they have data breaches and poorly managed incidents exploding in their face.”Meanwhile, security leaders have other avenues for fortifying their positions in the business ranks, other industry experts suggest, for example, focusing on the financial value they deliver in terms of winning and retaining customers. CISOs “feel that they need to fight off an attack to show value, but there are many other successes they can do and show,” says Erik Avakian, technical counselor at Info-Tech Research Group. “Building KPIs is a powerful way to show their value.””Show [the CEO and other executives] what they are getting from these tools in terms of cost avoidance,” Avakian says, offering email spam filters as a low-level example. “Without those filters, far more emails will clog employee inboxes and that will deliver less efficiency” and productivity.Those other executives “understand dollars and cents” and the problem is that too many CISOs “don’t bother to show the actual value in real KPIs down to those dollars and cents,” Avakian says.Chris Jackson, a senior cybersecurity specialist with tech education vendor Pluralsight, reinforces the frustration that many enterprise CISOs feel about the lack of appropriate respect from their colleagues and bosses. “CISOs are a lot like pro sports coaches. It doesn’t matter how well they performed during the season or how many games they won. If they don’t win the championship, it’s seen as a failure, and the coach is often the first to go,” Jackson says. “In the same way, CISOs can go 10 years without a breach, but a single incident can end their tenure. Too often, CISOs become the convenient scapegoat.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074994/why-must-cisos-slay-a-cyber-dragon-to-earn-business-respect.html
