[eganist]

From what I've heard from other CISOs:

You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.

Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.

[int0x2e]

That's insightful, but I still think the assumption that the CISO has to go when the company gets compromised is a bit issue. Instead of security being a team effort, with the goal being making the hard choices together, finding the correct compromises to let the business thrive while being secure - it usually makes the CISO take an adversarial position to anything in their company - since it's always their head if something bad happens....

Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.

[ownagefool]

The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.

Common Pitfalls:

- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.

- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.

- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.

With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.

[dangero]

The CISO gets blamed and fired because it’s a language that shareholders understand. You think shareholders are going to understand that the CISO enabled others to make secure choices?

[adrr]

CISOs are starting to report to the board. The biggest challenge is budget. It's hard to put an ROI on a theoretical risk that chances of risk happening are at best an educated guess. Most company leaders don't value detection of breach but only prevention so things like the significant cost of storing network flow logs is an uphill battle.

[TecoAndJix]

I fumbled on an interview once when asked “tell us how a security initiative you led brought value to your organization”. I rambled on about average breach/downtime cost but i couldn’t quantify anything on the spot. In retrospect, I should have focused on manhours saved through prevention system. It’s a hard sell!

[cryptonector]

CISO direct report to CEO can be bad politics.

CISO direct report to CTO can be a conflict of interests for the CTO.

C-suite positions need a golden parachute because they can be career-ending. You don't climb to the C-suite then go back to being an IC or lower-level director.

CISO can be even riskier than other C-suite positions. So CISOs really need golden parachutes. But CISOs almost certainly don't get golden parachutes worth the while -- they are generally seen as less important than CTO, CFO, COO, and CEO.

[_tk_]

If a risk is "unsolvable" it gets accepted as is by the accountable person in the business side of things. They will/should have good reason why they can't solve it.

Plenty of companies keep their security teams + CISO after they get popped.

[hgsgm]

Any Cx0 that has a boss besides the CEO isn't a C at all.

[bryant]

You'd be surprised how often this happens though. I've seen all the following structures:

CISO -> COO -> CEO

CISO -> CIO -> COO -> CEO

CISO -> CSO -> COO -> CEO

CISO -> CLO -> CEO

CISO -> CLO -> CFO (wtf?) -> CEO

And none of:

CISO -> CEO, or even

CISO -> CSO -> CEO

The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed.

---

The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate.