The Impossible Role of the CISO

JC Gaillard
Oct 1, 2019 · 4 min read
Image for post
Image for post

Security Organizations must evolve. The CISO cannot be credible on all fronts

A recent comment I read on Linkedin made me think.

It was in response to a post on zero-day vulnerabilities and software patching, and roughly translated from the French, it read as follows:

“One day, you stand in front of the Ex Co having to explain how the millions spent on cyber over the years have improved their level of protection; then you go back to your desk to discover that 3 new vulnerabilities have just turned up which need patching across the entire estate; Welcome to my world !!!”

While I accept this reflects the life of many CISOs, it attracts comments at two levels:

First of all, if the “millions spent on cyber over the years” had been spent in the right places, none of the issues highlighted here should be a challenge for the CISO.

A cyber security practice needs to be a structured practice built around people and processes, supported by technology. Reporting capabilities should be embedded in it and inform any management decision up to the board. You build those over time. It requires mid to long-term vision and leadership from the CISO, but that’s how the “millions” should have been invested over the years: People, Process THEN Technology.

Of course, many cyber security practices have been built the other way round: Jumping straight at the first technology solution every time something happens or at the first sight of an audit point, buying some tech product to address alleged quick wins, then wrapping processes around the capabilities of the product … just to discover that you can’t justify the resources to operate the way the product needs to be operated (before complaining endlessly about management and budgets; at which point the CISO generally moves on to their next job…)

This cannot carry on. Short-term focus on non-existent quick wins has led to a product proliferation problem which is simply killing security operations practices, and many large organizations are nowhere near the level of security maturity they should have reached with regards to the amounts invested over the last 10 to 15 years.

Many CISOs are simply trapped in endless projects, tactical games and firefighting. They struggle to see the bigger picture, while at the same time, many senior executives have now entered the “when-not-if” era and expect real action.

Meanwhile, breaches keep happening and over time, distrust sets in between business and security leaders. This spiral of failure also breeds a talent alienation dynamics and security problems can rapidly become self-perpetuating.

Organizations which find themselves in such situation must look back without complacency at the roadblocks which have prevented progress in the past around security matters: Invariably, they will be rooted in culture, governance and managerial short-termism.

To break this deadlock, they will have to attract and inject raw management talent into the security equation, and to that effect, current security organizations will have to evolve. Which takes me to my second point, in relation to the Linkedin comment I started from.

The CISO role which it refers to — although very real today in many organizations — is inherently flawed.

Nobody can be reasonably expected to be GENUINELY and EFFECTIVELY credible from the board down, across all managerial and technical layers of the enterprise, and transversally across all its silos, from HR to Legal, Procurement or Compliance — and of course across all geographies and cultures for global firms.

This profile simple does not exist (or is so rare it’s not worth looking for). Yet, in many organizations, it is a little bit what is expected of the CISO, partly because of the inherently transversal nature of security, partly because no-one else appears to be relaying the security message.

This also cannot carry on: Security organizations in large firms have to restructure themselves in depth to encompass and structure all relevant disciplines and allow each of those to develop as it should, at its level.

Image for post
Image for post

Within a structured organization, roles should be defined and distributed to attract the best: The person talking to the board on security matters and the person making sure the IT estate is patched should not — and cannot — be the same.

In this context, the traditional role of the CISO will have to evolve, and probably leave the centre stage to a broader CSO role, which could be used to attract and develop a new generation of leaders into security roles.

This is absolutely necessary to address the transversal nature of security — and privacy — matters in large firms, and break the spiral of failure which has plagued cybersecurity for the last decade.

Click here to join our newsletter for more Cyber Security Leadership insights.

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

Security Transformation Leadership

The Security Transformation Research Foundation is a…

Sign up for The Security Transformation Leadership Newsletter

By Security Transformation Leadership

Delivering a challenge and an alternative view on common practices in the CyberSecurity space to help the Industry move forward Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

JC Gaillard

Written by

Founder & MD @CorixPartners | Co-president #CyberSecurity Group @TelecomParisAl | Non Executive Director | Author | Blogger | Cyber Security Leader

Security Transformation Leadership

The Security Transformation Research Foundation is a dedicated think-tank and research body aimed at approaching Security problems differently and producing innovative and challenging research ideas in the Security, Business Protection, Risk and Controls space

JC Gaillard

Written by

Founder & MD @CorixPartners | Co-president #CyberSecurity Group @TelecomParisAl | Non Executive Director | Author | Blogger | Cyber Security Leader

Security Transformation Leadership

The Security Transformation Research Foundation is a dedicated think-tank and research body aimed at approaching Security problems differently and producing innovative and challenging research ideas in the Security, Business Protection, Risk and Controls space

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store