What Do CISOs Want, Anyway?

I spend a fair amount of time with other Chief Information Security Officers (CISOs), discussing Information and Cyber Security, and telling war stories about life in the trenches. As with all professions, there is an external face (what we tell our Boards and Leaders and Customers) and an internal face (what we tell each other). Mostly, these are the same things, just told with different language and perhaps with a different emphasis. Sometimes, they are not the same thing, because we recognize that our non-Security friends aren’t ready to hear what we have to say, or don’t want to hear it, so we don’t waste our breath. I thought I would brain dump a generic list of these things, for your consideration.

IT Needs to Get Its Act Together

I know, saying this is not going to make it happen, but really.

Data, and the IT Systems on which data are consumed, are the life blood of our society. IT Professionals need to manage their IT systems like this is a life and death situation. This applies to the smallest business to the largest. IT, and the services it provides, must be professionally executed, just like we expect the legal or accounting service provider to do.

If IT is not taking Security into account, they are being negligent. Even if they don’t care about Security, they just need to be doing really solid IT Operations. This means things like asset management, software updates, configuration and change management, authentication and authorization. Let’s start with those.

Until general, non-Security-focused IT can get this right, it doesn’t matter what kind of security protocols we layer onto or in this.

The Security Industry Needs to Get Its Act Together

It is time for Security to come out behind the wall of IT leadership, and assert itself as a business concern transcending all company silos. It’s time for Security to be seen as a strategic imperative, and to be consulted as part of all business strategies — not something that supports or trails those strategies. CISOs can do this by elevating and codifying the professional definition of Security, requiring more out of our security leadership than a defend/attack approach, and engaging Boards and C-Suites in the details of the Security domain.

We also need to stop Security Vendors, Researchers and Government Agency Leaders from being the only face of Security to the general public. They have a very specific view of the world which does not take into account the complexities of actually managing this risk across all pieces of business and society. We should identify leaders in the practice of managing Security, and make them our spokespeople when issues of Security need discussion in the public square. Can’t think of anyone? This is why we need to get our act together.

The Education Industry Needs to Get Its Act Together

From Kindergarten to Advanced Degrees, the education industry has not yet worked out how to educate people to be active managers of their own Security and Privacy, not just create technology/Security workers. I’m not only pointing fingers at the technology and computing disciplines. We are all part of a digital economy — we should all be educating our children and adults on how to thrive in this new world. We cannot wait. The answer may not only lie with traditional educational institutions — we need to be changing the culture of our society to be mindful about how we use technology in a secure and healthy way. After-school programs, summer camps, online education, technical schools, MOOCs.

For business leaders, we need to insist that training in Security and Risk is part of any MBA program.

We need to reduce the barriers to access for this training, and tailor training so that anyone in society can participate. This is as important as reading, writing and math, and is part of any well-rounded citizenship training experience.

Policy Makers Need To Get Their Act Together

Our politicians need to acknowledge the role that Security and Privacy and Ethics play in society, and to understand that they are obligated to pass meaningful legislation to protect society from the damage caused by technology misuse and abuse. We are interconnected — and the public utility of technology extends beyond just one company or government agency. In the same way governments provide for shared services, protect against air/water pollution, ensure investments in things necessary to society but not necessarily profitable for private industry, they must also create meaningful Security legislation.

Security legislation is much more than Breach notification. It covers national security, of course. It covers privacy and ownership of individual’s data. It also includes things like manufacturing standards, duty of care by security service providers, legal protections for security analysts and incident responders, and ensuring cyber insurance and other “protections” are more than snake oil.

If policy makers don’t personally have the skills to do it, they need to find the people who can, and ensure they’re engaged in public policy making.


When CISOs think about individuals they are charged to protect, the list of things we want gets much more tactical:

  • Don’t share or reuse passwords
  • Use a password manager
  • Use a VPN
  • Patch stuff. Always.
  • Use multi-factor authentication solutions where-ever offered
  • Be suspicious of every email you receive, from anyone
  • Enable encryption where-ever you can

Of course, individuals fail at these things all the time, because we haven’t worked out how to make these things part of the technology use experience. As long as folks have to think about doing these things, they will find a good reason not to. That doesn’t stop CISOs from wishing it would happen.


Security is not a project, or a product. It’s not a thing to be “solved”. Security is a state of being, for all of us. Some of us manage Security better than others — but “better” is a judgement best left to the individual.

The biggest threat to Security — for an individual, company, or a society — is people who don’t think about Security at all.

In this technology and data era, we cannot afford to have people ignorant to the risks they pose to others, or the risk others pose to them. So, what CISOs want can be boiled down to this: we need people to engage with us. We need folks to take Security seriously, as a first thought not an after thought. We need people to value it as a core principle, a moral imperative, a bedrock value. We need people to listen, and we want to be heard.