"I don't own risk for the organisation. It's my job to inform management and my peers on what I think is the right thing to do and why"
Chad McDonald, CISO, Digital.ai discusses the CISO role and why making the CISO the "fall guy" is never good for the business, with Sebastian Avarvarei, Director for Security Advisory Services Europe at Wolters Kluwer and Dr Paul Lewis, Senior Director of Cloud Security, Elsevier. Hosted by Thom Langford, Founder, TL(2) Security.
View the full Webinar here.
Are they responsible, accountable, consulted, et cetera, informed. So when it comes to DevSecOps, when it comes to actually making this happen, what's the role of the CISO? Who's responsible? Who's accountable?
So that's a really good question actually, because traditionally, I would have said the CISO is both responsible and accountable for making kind of DevSecOps happen. However I'd argue, you know, the old kind of proverb about security is everybody's problem, I think should actually manifest itself in the outside world as well, and DevSecOps and all those kind of good ways of doing things.
So one of the things we should have done with Elsevier is set up a security champions programme. And the security champions programme is to kind of help scale security advice into development squads, dev teams, and so on and so forth, and that allow us to get good ideas and good kind of standards and ways of doing things into the squads rather than me having to be the central point of failure, in some cases, or central point of contact. So that's one way of actually sort of getting the racy kind of question into people's minds.
I think the other sort of flipside to that is, ultimately, people have to have a level of skill to be able to advise people on the level of risk they may be carrying. So senior managers, senior directors, and CEOs, for example. So I think it depends upon the organisation. It depends upon the culture.
And it also depends upon how mature the organisation is as well because if you have a quite an immature organisation, that's going to be quite a difficult conversation to have when you could be having significant revenue challenges, for example, in the current COVID-19 environment. So I think those are the kind of sort of responsible, accountable, consultant, informed conversations I would have.
So spoken like a true consultant. It depends.
Chad, you look like you got a follow on.
No, I was going to agree with him. I mean, ultimately--
No. No. We want to disagree. It makes it far more interesting.
As a CISO, it's not my decision. I don't own risk for the organisation. It's my job to inform management, to inform my peers on what I think is the right thing to do and why, and to ideally quantify that in some way.
So here's an interesting question than, Chad. Given the current climate of lots of breaches, for example. There have been significant breaches in the UK around sort of securities, like British Airways, for example. There's been a lot of talk on Twitter and social media around the CISO must be fired. So, if that is the case, there's still a perception out there that security is the CISO's problem, therefore they should be fired because they didn't do something, whatever that thing is. So what do you think about that particular sort of thing?
I think, that in some cases, those are poor business decisions, and unfortunately, the CISO gets to be the fall guy.
The bad guy, yeah.
Well, that's why they pay you the big bucks for, right?
I wish. I wish.
So the old adage, CIO means career is over, while CISO, I guess, would mean career is somewhat over. So it's--
Exactly. Exactly. But I mean, part of that's the reason I think the average tenure for a CISO is around, like, 24 to 36 months in any role. The reality is that most organisations don't-- the CISO has, again, the responsibility to inform the organisation, but doesn't actually have the authority, or resources, or anything to move the security ball down the field. What they can do is collaborate, negotiate, build the security plan, but typically, it will be some other group that is enacting those security controls, whether it's Operations or IT, or whatever. There has to be an established priority from the top down that IT will sort of follow the security playbook.
Ultimately, calling the CISO the fall guy or the bad guy, it's never a good play by the business. It doesn't make it very easy to get a quality CISO in to fill in after someone you've just fired. Now there's probably a situation where a CISO has done something unfortunate. In those cases, you know, all bets are off.