On Scapegoating CISOs
I saw an AMA thread on r/netsec earlier today that was quite interesting. The session was held by Michael Coates and Rich Mason who served as Chief Information Security Officers at Twitter and Honeywell. The most interesting question they received IMO (and coincidentally the top comment in the thread) was on scapegoating CISOs when a company is hit by a security breach. I thought their answers were thoughtful and informative so I decided to share them with you.
Question
After a major breach, it’s often the CISO that falls on their sword and finds themselves looking for work. Do you think this a good display of accountability, or a damaging form of scapegoating — especially given that breaches are now an accepted/expected occurrence, and that in lower security roles, a culture of blame is considered harmful
Asked by: sanitybit
Michael’s Answer
In my view, a CISO’s role is to build a solid security and risk governance program, empower leadership with a system that surfaces risks and provides available mitigating controls to lower risks that are too high, and builds the security “scaffolding” to introduce security best practices across the company.
However, if a single person is to blame for any security failure across the company, then that same person must have the authority to veto any decision based on risk. That model is absurd as every business takes risks every single day.
So, should a CISO immediately take the fall for a breach? It depends. It depends on whether the elements a CISO was responsible for were developed and operating effectively. It depends if individual leadership teams decide to take calculated risks that backfired or if someone deviated from designed policies & practices.
There’s no simple answer. But I do think the most important item is to realize that there is no single savior that can prevent breaches. The CISO and security org empowers and educates a company to make thoughtful decisions around security and technology risk. But they alone can’t prevent or control all actions. Align authority and accountability so that the leader or individual, whether in the security team or not, receives praise or punishment for actions contributing to a security failure.
Rich’s Answer
CSO – Chief Scapegoat Officer. I think it is increasingly important that senior security officials have an employment contract with clauses to this effect (golden parachute). The temptation to pin the tail on any one person is too easy without such safeguards in place. Too many companies see security as a bolt-on versus a built-in.
That said, if the CISO didn’t reasonably establish a baseline of where the organization was when they took charge and reasonably march towards an agreed-upon target of funded control maturity and process, they should move on.
It is unfortunate that the combo of stress, misalignment on funding/support, and tendency towards scapegoating keeps the average tenure of a CISO at ~ 18 months. That isn’t enough time to make meaningful change in an enterprise.
Full AMA can be found here.