Responsibility vs Capability in the CISO Role

Friday, February 17, 2012

Rafal Los


After I just finished editing a podcast (Episode 10) where I got to sit down with Gene Kim, the guy who wrote the Visible Ops book - a staple of every good IT manger's bookshelf. 

I can't help but write a little bit about one of the topics which just resonated with me based on some of my job history. 

The idea of "blending in with the furniture" is one that I know many IT managers follow in organizations and situations where they feel they simply cannot succeed.  Let's break this down because I know many of you are feeling this pain.

Responsibility vs. Capability

In a previous [IT] life, and one I sometimes look back to for wisdom, I had a close friend who was put in a position where he could not possibly succeed.  This was not an opinion, or a gut feeling, this was truth. 

He was saddled with what IT folks commonly refer to as "herding feral kittens" which means that he had no budgetary or executive capability, but was given the responsibility for the [information] security of the combined multi-national corporation across a dozen or so p&ls (business units). 

How do you succeed in a situation like that?  Simple, you have 2 choices as far as I'm concerned. You can do one of two of the following:

  • "tread water" - or like the title of this blog post says 'blend in with the furniture' and try not to cause too much of a ruckus and get yourself fired while building up a resume and thinking about where you'll be employed next.


  • catalyze change - which means you put on your big-boy pants, read Gene's book on Visible Ops and get down to it and take those lemons they've given you, making the best **bleep** lemonade man has ever tasted.

Responsibility is the bane of every CISOs existence. I have never met a CISO that doesn't feel like they're on the hook for every negative technology-related (and sometimes non-technology-related) thing that happens in the company. 

When a malware outbreak bogs down the network you will be blamed because you didn't prevent it... and it doesn't matter that the CEO was the cause of the incident because he broke policy and brought his home laptop in to work with him or her. 

When the network is slow it's the firewalls, or IPSes, or any number of security-related mechanisms that are at fault... naturally because security, even though it's 2012, is still seen as the slowing force of business. 

The gut reaction of many business folks is to tear out the security bits to "fix" the perceived issue, and even if that doesn't solve the problem, it's rare the security bits ever get put back in properly ... unless you have evidence that your security bits aren't the source of the problem.  More on this in a bit.

Responsibility also bites you as the head of technology-based security across many business units even if you can't command those business units how to run their ship.  It's like being a commander of an armada, but your various captains can all run their own ships in any manner they please.  You can quickly understand why a war strategy would fail, but somehow when ego and business boundaries are factored in it's simple to get caught in this game. 

Yes, you're the "global CISO" and you have 10 direct reports from each business unit but even though you set policy across the global organization no one has to follow them. And what's worse, you don't have enough budget (or control theirs) to make any real change happen "globally."  This is a very tough situation to win forcefully and it makes a great case for blending into the furniture.

Capability is often seen as the ability to enforce.  Whether it's based on corporate politics, budget, or simply top-down leadership reporting structure capability is critical to being a good leader.  If you don't have the capability, as I alluded to in the paragraph above, to force people to follow organization-wide decisions it gets very difficult to have a solid organization. 

It's just impossible to be the defender when everyone is defending in their own way, using their own technologies, and leveraging their own partnerships.  Capability often comes from either earning respect, or being delegated power from on high. 

You're usually delegated power from "on high" when either (a) things go horribly wrong and the business needs someone to make a massive change fast, or (b) they need a scape-goat because they know things are about to go terribly wrong.  Knowing the difference between these two is crucial to your career... trust me, *cough*.

So how do you become the catalyst for change?  I'll tackle that tomorrow, in the next post as this one's already getting a little long-winded.  I'll give you some ideas on how to be a serious catalyst from my 10 years in managing small organizations (~50 employees, ~5 IT) to massive (~500,000 employees, ~5 direct reports)... and it's mostly based on personal failures and successes.

It's easy to get lost in the mindset of "woe is me" and feel sorry for yourself.  It's really hard to sit down and decide that there is something you're willing to do about it.  You've got to be willing to put your job, and sometimes your career, on the line when you make that decision. 

But the bottom line is you can't just blend in with the furniture, so tune in again for the next post...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Management Leadership Information Technology Network Security CISO Information Security Executives Rafal Los IT Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.