Yahoo Finance discusses why Facebook and Cambridge Analytica-like scandals paint corporate security officers in a bad light:
While the average tenure of a CISO across all industries in the U.S. is 4.5 years, according to Forrester, that stint may shorten when it comes to Silicon Valley, simply because of the nature of the work. Running cybersecurity at a high-profile business such as Facebook, which has access to 2.1 billion-plus users’ data and is constantly pushing out new features, arguably has more potential pitfalls than doing so in many other places.
“Tech companies are the tip of the spear when it comes to security,” contends Jeff Pollard, a principal analyst at Forrester. “I think being a CISO at a tech company is definitely different than being a CISO in a different industry, primarily because you’re really dealing with talented people doing bleeding-edge work.”
While running security certainly makes the CISO a potential scapegoat when push comes to shove, on a day-to-day basis, there can also be a tug-of-war between what the CISO thinks is best for the company and what other executives want. For instance, enacting stricter security measures may contradict other executives’ plans for rapid user and revenue growth — a prerequisite for many businesses to succeed, particularly in an über-competitive, fast-moving industry such as tech.
Specific to the last point, security should never prevent mission critical operations from executing. It should be a business enabler, ensuring corporate compliance with applicable industry regulations and laws, but never pitting itself against operations. Businesses and government organizations has missions to achieve, and need to be allowed to reach those goals but in a safe and secure manner.
The other thing about the CISO position is where it falls within the corporate hierarchy. Is the CISO subordinate to the CIO, where is often is placed, or does the CISO report directly to the CEO? I always advocate for the CISO and CIO being peers. They should be working in concert with each other to ensure corporate operations remain functional, but done so in the most secure manner possible.
All too often when the CISO is subordinate to the CIO, security gets the short end of the funding stick. CIO’s are more interested in operations and adding shiny new gadgets executives and general employees can appreciate, rather than the ill-perceived work-preventing security measures.
The CISO has a tough job, and as long as they have C-level and board support then they should be successful. Failure to have that support is almost guaranteed failure, especially should a breach or other security incident occur.