CISO 2.0: Enterprise Umpire or Wide Receiver?

CISO 2.0: Enterprise Umpire or Wide Receiver?

There’s a pretty well-known characteristic among umpires. Just about any of them will tell you that a good day of work for them is if nobody notices that they existed. For the most part, that’s the truth. We notice when they blow a call, but don’t give them any thought when they’re doing their job successfully.

For years that’s been the role of the Chief Information Security Officer (CISO). The primary goal of the security department has been to keep the organization out of the newspapers. As long as no data was leaking and no regulators were barking, the CISO could operate as a cost-center in relative obscurity. Much like an umpire, the CISO was unnoticed when he was most successful. We’ll call this CISO 1.0.

The opposite end of the sports spectrum is the wide receiver. This is a position where success is defined by being in the spotlight. If this guy isn’t catching touchdowns and actively adding value to the organization, he isn’t seen as a success. His position thrives on being in the action and adding value to the team.

At this year’s RSA Conference, I attended a session where one of the speakers (a highly experienced security leader for whom I have great respect) made a comment that CISOs want to be noticed “not at all.” I don’t know what percentage of CISOs still operate under that mindset, but I believe it’s past time for a change. Security leaders have been umpires for too long, and it’s time to start flashing a bit of wide receiver.

Areas that do not provide significant organizational value are eliminated or commoditized

The nature of the business world is to invest our limited resources in areas that provide value. Areas that are not providing significant organizational value should either be eliminated or commoditized (to pay the minimum cost possible while maintaining compliance). In security, it is our challenge to demonstrate to the business that the money they invest in us goes further than just keeping us out of the newspaper. Security can deliver tangible benefits out to the business.

An effective security program can reduce the costs of creating products. By maturing our security program we can seamlessly implement security earlier into our projects. By implementing earlier we avoid the painful, time consuming rework that comes with needing to bolt-on security after the fact. Effective security can reduce the production impact of client penetration tests and regulatory changes by working their security requirements into the products the first time.

World class security is a key differentiator in many industries, including financial, government, healthcare and large public organizations. A mature security program is essential for successfully navigating processes like the Department of Defense’s Certification and Accreditation. If your organization provides services to these types of high-demand clients, security can be the difference between getting the sale and losing the business.

The number one value: real perspective on the organization’s data risk. Getting a real measure of an organization’s cyber risk is extremely difficult. Counting on auditors (internal or external) is never going to give the entire picture. But a security department with relationships throughout the organization, with boots on the ground, and personnel with intricate experience working with the technology… that kind of team really has all the tools necessary to tease out the information security posture of an organization. A mature security leader can utilize those resources to provide higher quality risk measures that can allow the organization to see (and avoid) many disasters before they strike.

CISO 1.0 still exists in many organizations, and still will exist for as long as I can foresee. The organizations with those leaders will continue to reduce their security costs, and continue changing the security function into a compliance checkbox designed just to keep regulators, clients and auditors happy.

CISO 2.0 is a growing breed, and looks to break out of the reactive, compliance-driven mindset. This CISO wants to bring new value into the board-room, expanding the ways security improves the positioning of the company. This CISO will still be held responsible for keeping the company out of the newspaper, but can also be known for reducing costs, increasing sales, and helping shape organizational strategy.

Connect with


6 thoughts on “CISO 2.0: Enterprise Umpire or Wide Receiver?

  1. Robb – I think you’re onto something here. I think the name “CISO 2.0” may be a bit off-putting for some, so perhaps the “visible CISO” may be easier to swallow – but no matter what I think that today’s CISO is tired of standing in the shadows.

    It all comes down to showing business value of information security programs, policies, and people – and the ONLY way to do that is through valid, business-relevant KPIs.

    So … does today’s CISO has a much higher reliance on demonstrating business value and pushing corporate goals than ever before? Absolutely.

  2. Raf,

    Thanks for the note. Unfortunately I haven’t taken any marketing classes yet… so my name choice might leave something to be desired. The Visible CISO might indeed make sense.

    As long as CISO’s continue using FUD to get their agenda passed, we will not be able to show the kind of business value you so rightly mention. “I stopped you from getting nuked by hackers,” while critically important, is not the kind of objective that is going to interest and gain the attention of the board.

    Thanks again for stopping by.


  3. Thank you for taking the time to read and comment on this topic. I think you raise a very good point. Security is more and more frequently getting rolled up into an IT governance function. Whether or not this is the appropriate place for it is an interesting question. I am going to give that some more thought, and perhaps do a post about it in the future. I can see the good to that (direct access to other governance functions, like PMO, and finance), and the bad (potential conflict of interest, potentially not getting attention at the right organizational level).

    Thanks again for your feedback.

  4. Rob, I enjoyed your post and ultimately referenced it in a blog post of my own. I’ve been trying to figure out the best way to expound upon, what I feel, are significant changes occurring for infosec professionals these days.

    Link to my post:

    • John,

      Thanks for taking the time to read and reply to my post here. You’re right, the role of CISO, and information security in general is changing rapidly. In order to meet the needs of our customers, we need to change along with it. From technologist to risk manager to business-person.

      Thanks again for your thoughts and your own post. I read yours as well, and it’s great to see other folks out there beating the same drum, moving our conversations in the right direction.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s