Is your CISO really C-Level ? - Pentestmag

Is your CISO really C-Level ?

Is your CISO really C-Level ?

by Tommy Babel

There's a big hype around the title CISO - Chief Information Security Officer.

From my point of view, not only it is "over used" but also frequently abused; both (1) verbally by people who don't really know what are the key responsibilities of a CISO in different 'complex business crossroads' and which 'PERSONAL Characteristics' and 'Professional ABILITIES' a CISO should hold to support his 'critical decision making', and (2) in practice once this title is hastily handed out to people with so many different personalities, abilities, capabilities and experience.

If I were to tell you that a role in my business is in charge of 'critical decision making' in different 'complex business crossroads', the CISO would be the last title most of you will think of. You will think of a Chief Strategy Officer and maybe some of you will even come up with the CEO itself.

Few days ago, I came across a post where someone was saying he is "very sad" that too many CISOs have poor technical knowledge and so, cannot effectively defend their organization.

Dude?! Wake up! If you are the technical guy and titled CISO, please be humble about it. You are on a journey and it will take some time. Be humble about it!

Apologies to some of the CISOs out there, but if you are not involved in the critical decision making at the business crossroads, you should respect being given the title and be VERY modest about it. More over, if you are unable to make critical decisions while under pressure to deliver business results, rubbing the title in people faces, actually means depressing its value and perception among peers and others.

I am perfectly alright with a business choosing not to put that unique individual a.k.a CISO in the position of being involved in the critical decision making, both when the business hits the fan, but also when it prospers and blooms. "Their choice, their problem".

But, maybe we should stop handing out this delicate title to the guys that tell us, we need a FW or an AV or even the NG version of those. And also not to the guys that tell us, we need to have a list of assets and manage the surrounding controls. And not to the guys that tell us, we need to manage threats and vulnerabilities. And not even to the guys that tell us, we need to manage the risks or achieve 'residual risk'.

An article posted yesterday stated that a CISO of one of the biggest corporations in the world is making around $2.5 Million a year. Soon came the critics, sadly though from within the industry - saying that's a waste, they could "do a better job" for "half the pay" and other rubbish. That's instead of supporting the notion that, this (probably successful, not stupid nor insane) corporation had put the right individual as the CISO at the exact organizational position he/she is able to actively affect strategic decision making and be closely involved in the steering of that giant business.

People with high IQ, but more important high EQ, and most important HIGH AQ (Adversity Quotient) are very hard to find. If you (Business) did find that high set of skills in an individual and had put him to the task to be your CISO, you are in a good place and its worth every cent.

Now, quick head back to reality. Not everyone can afford "Superman" at every critical position. So, what do you do? You hire a CISO to do his magic where it hurts, where you are most vulnerable and need serious attention. Any of the mentioned areas of expertise can be the weakest link; But doing so you have to make sure you provide your CISO the external help needed to cover all grounds. (1) Expert Managed Services. (2) proper Educational Program to keep your CISO on the curve.

About the Author

Tommy Babel is a passionate participant, entrepreneur and influencer of emerging Business Technology (IT/IS) lines of service for the past two decades, across various enterprises and different industries, Delivering Business Value through Methodology, Governance and Innovation, Specializing in Cyber Risk Analysis, Resilience, Threat Intelligence & Privacy by Design.

The article has been originally published at:

August 13, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013