"It's like a marriage..." SASIG’s Martin Smith MBE on the CISO and the board

"Imagine if boards said 'Oh, I don't really understand money, I'll leave that to the CFO'”

"It's like a marriage..." SASIG’s Martin Smith MBE on the CISO and the board

Few people have seen quite as many Chief Information Security Officers in action as Martin Smith MBE: he’s been one; he admits merrily that he’s been fired as one; and as the founder of the Security Awareness Special Interest Group (SASIG) he runs a large networking forum for CISOs and security professionals. The Stack caught the RAF veteran to discuss the changing face of the CISO role, soft skills, and getting boards on board with cybersecurity.

Martin, we’ve seen a lot of security incidents recently in which even large companies did not have a CISO in place (see Colonial Pipeline, for example). It seems like it’s a role that’s still emerging, still evolving. What’s your view on the role and how it’s changed over the years?

I have watched the CISO community grow over the last 30 years. I was what would now be called a CISO, back in the mid ‘90s: I was unqualified for it and unable to cope with it, because nobody really knew what the CISO’s job was – were they a techie working for the CIO? Were they a security person trying to cope with the technical environment? Even the CISO didn't really know what the CISO was...

There was little training, few qualifications, it was all very immature. Maybe you inherited the job as an IT person given the IT security job, then the job became bigger, so you recruited two or three mates to help you and you became the ‘IT security manager’, even though you had no management skills.

"The business lines need to understand this whole issue better as well, not just the board"

The job just evolved: sometimes the right way, but too often the wrong way. The candidates for those roles were typically techies: deep techies with few of the qualifications or the skills that managers needed such as people management skills and communication skills, especially upwards communications skills.

And as the job got bigger, that role became more and more vital to the organisation, so the individuals holding those roles became more and more exposed to the inadequacies of the situation.

I remember the internet arriving and briefing the board on what the internet was. ‘So what is this internet thing, Martin? Can I get one at home?’ We're talking less than 25 years ago. Everyone was totally ignorant: the Wild West arrived, and it was at our doorstep.

How much is the skills/talent shortage an issue in the CISO world?

Chris Ensor at the NCSC, who is responsible for bringing in new talent, was talking to us recently about the CISO roles: there were 20 boxes on their application forms but only about two of them were technical. The rest were things that managers need: communication skills, management skills.

We still don't have enough resource in the industry in general, and we still don't really have sufficient numbers of heavyweight players to satisfy growing demand – because moving away from the FTSE 100, most organisations of any worth now need that really specialist CISO advice.

See also: Veeam CISO Gil Vega -- "I don’t take this job home with me; I’ve been doing it a long time, and I’ve built a team that really operates under the premise that we’re in a perpetual state of compromise"

The skills shortage is now the single critical strategic weakness of the cybersecurity industry. We face tactical crises every day and we deal with them, it’s what we do. But I believe the skill shortage is the thing that is going to really kill us if we don't get behind it. There's a huge amount of activity in this space, but it lacks coordination.”

How much is the recent legacy you’ve described above an issue here?

In the 2000s some of the CISOs with these softer skills started to rise up to become very prominent: the ones that big banks, big pharma, big retail hired became cyber royalty.

In that same period, a lot of companies started to turn to the Big Four to provide them with these roles: but they were then poaching these same ‘rockstar’ CISOs and the salaries were going further and further north. It was costing organisations more and more to either outsource this role, or to buy their own staff. Meanwhile the IT security community were pushing away any internal scrutiny, saying ‘this is really clever stuff and only we can deal with it’, almost shielding boards from the detail.

As a result, not only were leaders both unqualified and inexperienced, but they were in short supply and getting more expensive by the day. Facing a growing threat from organised crime, international terrorism and nation state activity, is it any wonder we’ve had a crisis?

Any glimmers of light?

We have come a very long way in the last five to 10 years, not least because the government – the NCSC in particular, but also DCMS, Home Office, Cabinet Office, and the National Crime Agency – has recognised the importance of confronting the oversight gap.  I have been a vocal supporter of all that the government has done. We have come from a dark place of our own making and are now moving towards a strategic solution for organisations to be able to address their cyber security challenges. But some of the CISO community are still part of the problem.

Why?

Because they're still holding on too tight, and because the people they serve – the boards, the NEDs –  don't really know the questions they should be asking, and the things they should be looking for. Too often, the actual C-Suite with the responsibility for the running of the organisation still doesn't have the proper knowledge and experience to ask the important cybersecurity questions. That's where the non-executive directors come in. A good NED will know which questions to ask.

It’s a very stressful job and many no doubt feel the axe constantly dangling. Can board/C-Suite ignorance can play against people in the position too?

When things have gone badly wrong, that is the worst time to start sacking your CISO – I think organisations are pragmatic enough to know that. And when things go wrong, it's usually for things that aren’t the CISO’s fault, such as a lack of cybersecurity investment from the board, or basic IT housekeeping hasn't been done properly, or the business doesn’t see cybersecurity as a priority.

Ultimately, the responsibility rests with the board. It has a responsibility to understand the problem. Just imagine if boards said “Oh, I don't really understand computers – we're going to leave that up to the CIO”, or, “I don't really understand money, so I'm gonna leave that to the CFO” or “I don't really understand people management, so I’ll leave that to the head of HR”. No! The board has a fiduciary responsibility to understand all of this. That's why they're at the board level! All boards have a fiduciary duty properly to understand cybersecurity.

“By the same measure, if the board doesn't understand cybersecurity because they see it as too difficult or unimportant, that's simply because it hasn’t been explained to them properly.

People at board level are really bright, that’s why and how they got there. If they don't understand something then somebody in the chain hasn't explained it to them properly: in this context that’s the CISO. That’s why communication and soft skills are so important.”

What should organisations be doing to help support their CISO/make them more effective?

It's like a marriage: both sides have got to talk more to each other. Both sides have got to listen more. One thing that hasn’t been vocalised much is that the business has to make those cybersecurity decisions themselves: this can't be a central function. The business lines need to understand this whole issue better as well, not just the board. Cybersecurity has become a ubiquitous issue for the whole business:  instead of having just a central IT security team, every part of the business needs its own IT security expertise embedded within that refers back to the centre of excellence. I think that is so obvious. And yet, here we are 30 or 40 years into IT security,  and in too many organisations we still have a centralised IT security function reporting to the CIO, who too often doesn't really understand the issues in depth and delegates straight back to the CISO.

What makes a good CISO?

Good CISOs have the necessary technical knowledge, but they also understand their organisation’s mission and business objectives, are able to communicate upwards, sideways and downwards, and can manage their teams. I am delighted to see that a whole new generation of senior cybersecurity professionals with all of these skills are at last taking charge. The cybersecurity industry is in increasingly safe hands, but we must all continue in our efforts to attract new talent to our exciting and rewarding world.

Follow The Stack on LinkedIn