Jason Hart, CTO of Gemalto, is on a mission. He wants to formalise the role of CISO. “If I want to be a CFO I need various qualifications,” he explains over the phone. “If I want to be a CISO that isn’t the case.” He believes the role of CISO should be formalised – like an accountant – with mandatory regulations and training. “This doesn’t need to be complicated,” he stresses. “The simpler it is the better.”
The position of CISO is a difficult one though. The business importance of this individual has changed rapidly over the last few years and some see the position as a classic short-term fall guy – ready to be fired with the first breach. Hart says to do the job well you need someone geeky, good with people and good with business processes. “The dynamics of a CEO, if you like.”
“I was an ethical hacker,” he adds “and every successful breach came down to understanding the business process and understanding the level of risk.” He believes this means that while being technically savvy is a useful skill for CISOs to have, the most important thing is to understand business processes. “If you come from a non-technical background [you might be better at] engaging the board members.”
It is the fluidity that comes with the role, however, that many individuals see as a challenge to regulation. Ian Platt, Co-founder and President of Bromium tells me, when I meet him in London, that he thinks “as an industry we’re too early for this”.
“A lot of policy is wrong,” he says “offering the example that 95% of contracts [specifically state you must run anti-virus on every machine.”
It is certainly true that any regulations that do come into place would need to cover a lot of ground and would need to be regularly updated. And interestingly, the US National Association of Corporate Directors (NACD) has come up one non-mandatory solution – which may get the ball rolling – with the recent launch of its first board and director level cyber course.
Whatever your personal views though, this is pertinent topic, and one that is likely to get raised more and more over the coming years. So, with this in mind, I asked a range of professionals to come forward and comment about whether they thought the CISO role should be regulated.
Opinion was mixed with a general swing towards lack of regulation. And while many felt too many exams might not be helpful overall plenty still agreed that the role itself should be formalised. I’ve listed some edited highlights below in no particular order.
Accountancy roles were scoped out decades ago
“Accountancy and financial roles have been in existence for generations and as such are well defined in terms of the scope and depth of responsibility any given financial expert can be accredited to. The CISO role is a relatively new role and encompasses multiple disciplines across many areas of a business from Budget, Business and Technical disciplines, governance, compliance and audit through to legal and human resources.
“This level of diversity would make the design delivery and execution of an examination process for a CISO incredibly challenging. Combine this with the budgetary constraints that CISO’s typically have to work under and the reporting lines it is difficult to see what benefit a qualification would have over simply defining the role with more clarity and focus, better resourcing, financing and board level support.”
Chris Dye, VP of Marketing & Communications at Glasswall Solutions
CISO standards should only be put in place for regulated industries
“I think we’re likely to see the adoption of some sort of standard for CISOs in future, but probably only in regulated industries.
“I’m not sure that mandatory exams are the answer. CISOs need to have a wide range of skills, but most cyber accreditations focus solely on technical understanding. I would want to have a CISO that understood how to drive change in an organisation, for example, rather than one who knew how to run Python or create a security network architecture. The danger with the exam route is that it becomes a tick-box exercise, whereas organisations need CISOs who fit in their systems and can talk to everyone from the Board to the cleaners.
“If CISO regulation was to be introduced, I would prefer for it to be based on whether that person can pass a ‘fit and proper’ test, rather than whether they could pass an exam.”
Vince Warrington, Founder at Protective Intelligence
Too much emphasis on the head honcho
“Imposing mandatory criteria on people taking up roles has both advantages and challenges. In the case of the CISO, it is worth highlighting that as a role it is hugely diverse – spanning a range of technology, people and risk disciplines. Often it is the combined capabilities and expertise of the security team that needs to be assured – rather than the single individual at the top level.”
Amanda Finch, General Manager at the Institute of Information Security Professionals
There is a lack of clarity without regulations
“There is a lack of cyber knowledge within the board and as such, it’s often up to the CISO to convince and demonstrate where he or she should report to and to what degree the scope of their programs are. I have had the privilege to operate as a CISO in an organisation that treated cyber as a board level discussion, while also being heavily regulated.
“When the board is asking the tough questions, my job was a lot easier than waiting for a third party auditor to assist me in items I was already aware of but lacked the support to prioritise. By having a regulated CISO role, clarity would arise. The CISO role would most likely move in reporting structure to a place it often does not today.”
Paul Calatayud, CTO at FireMon
Regulation would need to be bespoke and tailored
“The modern CISO is intrinsically more aligned to the board room, rather than a technical security perspective. Organisations would ideally want a CISO that holds experience and knowledge around the business case for security and a technical security background. To fill any potential gaps in expertise, a bespoke exam and education programme should be tailored around that individual, to essentially evolve them to hold the desired skill set needed for their role.
“However reoccurring regulatory exams would not be encouraged at this level and may result in a negative perception of the organisation’s trust in that individual – the same way you wouldn’t assess the CEO of an organisation through exams on a regular basis.”
Salvatore Sinno, Chief Security Architect at Unisys
Scoping out the CISO function is more important that regulation
“Creating a regulatory framework flexible enough to operate across different verticals, organisational sizes and maturity levels, would be difficult – what would work for one may be to the detriment of another. All CISOs want to move their organisations forward, but there is usually a need to demonstrate the value of security to a business to garner the investment needed. This can be difficult, as the implementation of metrics to demonstrate value (rather than cost) can require investment in itself – catch-22. In my view if there is any regulation considered it should be aimed more at defining what (and maybe to whom) CISOs report within corporate structure, rather than their role, as that would necessitate the definition and implementation of metrics that allowed organisations to monitor their risk more effectively.”
Darren Anstee, Chief Security Technologist at Arbor Networks
Cyber skills are scarce enough without more barriers
“There’s no need to create yet more barriers for entry when we have a shortage of cybersecurity expertise globally. There are already many programmes that require on-going professional education such as ISC2, ISACA, to maintain security credentials. There’s also numerous undergraduate, graduate, or post-doc courses in the field of information security.
“When it comes to the role of the CISO, businesses should be focused on assessing their organisational risk and managing it on a continuous basis as it is a variable, not a constant. This includes engaging proactive security services such as independent assessors and pen testers to check, verify, and ensure no known and unknown vulnerabilities are going unaddressed. It is important to review and manage security gaps that may occur at the people, process or technology level.”
Jerry Dixon, CISO at CrowdStrike
CISO regulation will be a long-term game
“Having a professional or regulatory framework would ensure that the wider industry can learn from potential mistakes and prevent repetition of these elsewhere. Having such a framework in place, however, is unlikely to be established in the short-term.
“Whilst the skills and capabilities of the CISO can be traced back to the foundations of computing in the 1940s, it is still to reach maturity. IT security, as a sector, tends to move a little faster than most but we are still some way off it reaching a regulated stage. Further delays may be expected from the critical shortage of skilled CISOs in the market and the global mobility of CISOs given the demand.”
Stephen Bonner, Cyber Risk Services Partner at Deloitte
Don’t stifle the fall guy’s creativity
“One reason for regulating the role could be to ensure CISOs meet a minimum standard of knowledge, skills and experience, demonstrated through some form of assessment. It begs the question who would be competent to perform such an assessment? Organisations, supervisory bodies and law enforcement are struggling to keep pace with modern attack techniques. With limited understanding of how incidents occur, how attacks are likely to evolve, and what effective defences look like, the prospect of a single body providing reliable assurances on an individual’s ability to meet these challenges seems remote.
“Another reason to regulate is to maintain standards, by increasing the consequences of non-compliance. Yet arguably the consequences for a CISO who fails to prevent, detect or effectively respond to a cyber incident are already severe (cynics might even regard a CISO as someone to sack in the event of a data breach). A more effective approach could be to increase the chances of ‘catching’ an underperforming CISO, through continuous effective oversight and challenge, rather than an entrance exam at the start of their tenure and the risk of stronger sanctions in the event of an unfortunate end. Ideally the board should provide this challenge, holding CISOs to account in a similar fashion to other seniors. However given the current scarcity of this expertise, appropriately qualified non-executive directors could also provide this challenge.
“The last thing societies that live and conduct business online – and therefore require effective cyber security – need is to put obstacles in front of would-be CISOs. Security is already in competition with other industries to attract the brightest minds. Greater regulation could make it harder for organizations to recruit and maintain scarce skills, if candidates choose to pursue other roles, or move to less-regulated industries or regions.
“Regulation may also stifle creativity amongst leadership in an industry that demands innovation, given the current asymmetry between the perpetrators of cybercrime and those charged with defending organisations and their data. Organisations need CISOs who can set a vision for security, and design security over a number of years to enable business objectives, manage and measurably reduce risk in a cost effective way. It might be more advantageous to offer security professionals a path to develop the skills expected of the modern CISO, beyond the typical role of the security manager – for example leadership, selling security internally, and business enablement.”
Ed Parsons – Associate Director of MWR InfoSecurity
University courses already cover this
“I would think a Masters in Information Security (MIS) degree programme fulfils this function, just as a Masters in Business Administration (MBA) leads credibility to the senior ranks of management and executives. I don’t think a CISO position lends itself to regulation and mandatory exams in the same way as a Certified Public Accountant (CPA). There is more diversity in the CISO role, than say a Chief Financial Officer (CFO) role, or the precedents and requirements that are well established for Generally Accepted Accounting Practice (GAAP). There are multiple frameworks, best practice suggestions & guidelines, and many different legislative and regulatory requirements, many of which are far from prescriptive. What is considered ‘best practice’ in one industry, may be impossible to implement in the next.”
Ian Trump, Global Cyber Security Strategist at SolarWinds
Regulation is necessary for board visibility
“Regulatory encouragement will push boards to ensure they achieve greater visibility and security into the enterprise and its resources and data, which is an incredibly needed and positive step.”
Myles Bray, Vice President, EMEA at ForeScout Technologies
Existing compliance is quite enough
“I don’t believe it should be regulated as the compliance standards an organisation aligns themselves with delivers the regulatory guidance with industry ordained measurement (as a minimum). As long as an individual can demonstrate the right level of ‘business understanding’, with an understanding of the security impact on business, calibrated by industry aligned compliance standards, there is no need for any other person centric regulation. This is definitely a role where experience can deliver real value and much of that cannot be tested in an exam format.”
Colin Williams, Chief Technologist – Networking, Security & Unified Communications at Computacenter
The argument against regulation is stronger
“CISO is a risk management role and as such should be considered for regulation as actions by less competent CISOs could have dire consequences for their companies. However that are stronger arguments against.
“[Such as] what makes CISOs different from other C-suite executives? How this would be implemented and measured. What differentiates a regulated CISO from a non-regulated one?
“There’s [also] a need to understand / agree (or not) if this is about IT Security, Risk, Compliance, Information Security, Cyber Security which ‘should’ combine into a single business suit. The technology and security aspects change, so facts that regulation based on would be outdated very soon.
“Most CISO are already members of ISC2, ISACA or other internationally and nationally run security certifications. At least some are worth considering to become de-facto standard for CISO.
“Instead of regulating CISO roles, the international community should decide on one set of up to date (and regularly updated), comprehensive and practical standards for information security.”
Vladimir Jirasek, Managing Director at Jirasek Security
The industry is already too regulated
“In my opinion no [CISOs do not need to be regulated], this would cause a massive problem for the industry that is already struggling to attract talent. Today’s CISO would typically hold a global industry accreditation like CISSP/CISA/CISM which provides a core set of skills and demonstrates competence in the field. The experience of the individual should be considered first and whether they would be a good fit for your organisation second.
“Although the accreditations don’t require re-testing, they do require professionals to maintain continuing professional education (CPE) points. For an organisation to recruit a CISO they must ensure that the individual has an industry accreditation in good standing.
“The Cyber/Infosec/IT Sec field is already heavily compliance and regulation driven and most, if not all security professionals are spending a lot of time and money on PCI DSS/Sarbanes Oxley/HIPAA. They are also beginning to prepare for GDPR. In most cases the regulation requires an independent third party assessment to sign off of the security practices of an organisation and provide assurance that organisations are doing the right thing.”
Darron Gibbard, Chief Technical Security Officer at Qualys
Business pragmatism is hard to regulate
“In a sector where skills are in short supply, the last thing we should be doing is putting up barriers to stop the right people from becoming a CISO. With GDPR looming, there’s a greater understanding than ever before among businesses about the importance of securing their information. What they need isn’t technical purists, but business pragmatists who can make a decision on security that is aligned with their organisation’s needs.”
Mike Turner, Global Cybersecurity Business Leader at Capgemini
Regulatory compliance is already coming in via the back door
“Due to growing cyber threats the positions of CISOs may also become a subject to regulatory compliance in the nearest future. Apart from additional burden in terms of new responsibilities, CISOs will have to prove to regulatory bodies that they have enough expertise to take full responsibility for data security. Likewise, organisations will have to prove that their CISOs can assess potential risks, detect violations to corporate security policies and create an effective data breach avoidance plan.”
Alex Vovk, President and co-founder of Netwrix