What is a CISOs’ productivity?
Before I begin, I want to start with the caveat that my entire security leadership experience has been for technology companies (whether consumer technology or SaaS). That means that my perspectives will be different than those who have been involved with other industries (so pardon if this doesn’t fit what your opinion).
Why I am talking about CISO productivity?
The role of the CISO is not clear cut, meaning there isn’t an agreed upon definition of what a CISO does and is responsible for. Sure, there is overall acceptance that CISOs normally own a set of security and risk management functions. But even with that, what does a CISO really do? How can we measure the efficacy or productivity of a CISO?
If you’re a CISO, how do you tell yourself that you’re being productive?
There is popular belief that a CISO stands for “Chief Information Scapegoat Officer” or that a CISO should be measured by whether or not their organization has been breached, when in reality, a security breach is the result of multiple decisions that in hindsight were wrong. In fact, I have heard anecdotes that in a simulation where two separate organizations made the same exact decisions led to one organization getting compromised while the other didn’t. This is why CISO productivity is such a difficult thing to measure.
What is productivity?
Pivoting a bit, I believe it is worth discussing a bit what productivity is and how popular productivity measures compare to other C-level roles.
The effectiveness of producing something.
But what does this mean? Unfortunately, ‘being productive’ has a lot of connotations when it comes to being part of an organization. Most organizations define themselves as being productive if they are innovating, delivering value to their customers, increasing revenues, or working towards any KPI that matters to them.
While all C-suite positions have their own complexities, as far as I know there isn’t much debate about what a productive CEO, CFO, CIO/CTO, CPO, CLO (Legal officer), or CMO looks like. They all have some successful measurability aspects to their role (and to reiterate, it doesn’t mean their jobs are easier). A few examples of these are:
Annual revenue (or recurring revenue for those in some sort of SaaS or consumer service)
Gross margins, EBITDA, and other financial health measures
Reliability / uptime of services
Engagement, SEO scores, brand recognition
Legal and HR compliance
While not simple, most of these measurements are within the control of each C-suite. On the other hand, for CISOs, how is the role measured?
Some factors that I’ve heard are:
Risk mitigation or avoidance (whether quantified or not)
Tracking towards some sort of security scoring
Breached or not (and I don’t want to hear lip about ‘you are either breached or just don’t know that you are’)
All of these seem to be circumstantial in the sense that most CISOs do not have full control of making the changes to drive any of these.
Tying it back to CISOs
Unfortunately, there are a lot of CISOs out there who believe that having full authority and control over the measurements of the role is how to be productive.
Security is becoming the department of ‘Should’ rather than ‘Must’. People should be fired if they take an action that causes a company to be compromised.
This was my highlight of RSA, having to hear some CISOs who think like this. Basically, security at all costs regardless of the fact that employees still need to do a job that is measured differently than breached or not.
How I feel productive
I work for a product organization that has been very successful at releasing new products at a regular cadence. What makes us different is our ability to execute at a fast pace. This was clear to me when I decided to join that the intention to remain successful and a key part of it is to maintain such status quo. We have over 300 engineering teams and the company is purposely designed to not have single points of failures, that means that every department has a high level of autonomy so that the company can continue to grow with minimal roadblocks. Now, this does not mean that we’re careless about our risk management. We believe that trust is paramount to our success so velocity of innovation and trust goes hand to hand.
Our primary mission is to make security as easy as possible for any employee to adopt. We believe the best security is the one that it feels like it’s not even there. That means that we make the right decisions of what we buy and what we build in order to make things safer and easier while enabling teams to achieve the outcomes they want to.
Additionally, we see ourselves as a business enabler. That is, we work with teams to analyze the market and focus in areas that we believe we have to invest in to acquire new market verticals. Thinking this way, as a partnership, is how we can maintain a seat at the table and be critical to the business.
An example of productivity, is influencing other leaders to think about what risk treatment initiatives we need to have. Now, I don’t believe in big bang efforts that create a lot of toil and tax the organization drastically and instead I optimize for small and incremental efforts that are sensible and get others involved. As we have a decentralized security approach in core areas of risk, I prefer for the teams to have their own victories and provide a bottom-up plans for the areas that the people who are working on the systems that we want to manage risks for think we have to focus on.
So, how is this productivity measured?
Unfortunately, there are very little KPIs that can measure this. Ideally, the best signal you can get is positive feedback from across the organization and provide an understanding of the risk areas that are being addressed.
One thing that I’ve been giving some thought is how a productive security program should measure security toil. That is the amount of boring security work that the organization has to do because there aren’t enough safety systems in place to make this work a lot easier (ie., instead of measuring patched systems you’re measuring how much of your infrastructure is under automated management that handles such patches automatically). If you agree with this and have ideas or want to discuss, please hit me up.
We are in this together
That should be the CISOs and therefore, the security team’s motto for every organization. If a CISO starts a conversation (or ends it) with ‘I have a fiduciary responsibility’, then you are not building bridges. You are just making sure they never get built. All executives have that fiduciary responsibility as officers/executives of the company. If you act as a team player, you will not be singled out when an incident happens. That is, a CISO that wants to push security at all costs will most likely end up owning the responsibility of when that doesn’t happen. You become a team player, you play a team sport.
I believe that in an organization where security is a partner, security also owns the risk.
As a closing statement, my advice for CISOs is to worry less about who they report to and start focusing on how many more members of their organizations can they influence :micdrop:.