The Ashimmy Blog: Is the CISO position really best suited for a glorified consulting gig?

I have been speaking to a lot of folks over the last few months about what I think is missing or is needed in the security market. I have heard a consistent fact pattern. It is the familiar does management really give a crap about security or is it all about just passing the audit. Last week I had a chance to read a heartfelt lament from AndyIT Guy. It is titled “the tale of an unsatisfied security professional”.

I have corresponded with Andy over the years, but I don’t think I ever met him him in person. But it doesn’t make a difference. Reading Andy’s story it is the security everyman's story. On the whole, security folks are a passionate, dedicated lot who really do want to make sure that nothing bad happens on our watch. For the most part we know what needs to be done from a process, policy and technology perspective. The problem is getting the budget and support internally to make it happen. For too many of us the auditor is our best friend. They won’t listen to us, maybe they will listen to him – is the plan of attack.

Even at the CISO level where you supposedly speak the exec language, it doesn’t work that way. So many CISO’s I have spoken to feel like they get a 6 month to a year honeymoon where management feels they have hired someone for big bucks and lets let him do what he has to. A good CISO can put the policies, processes and technologies in place in that time frame. Perhaps even turn it over to some lower level people to care take. But that is where the honeymoon usually ends. Management feels they have done enough to feed the security/compliance monster. The CISO is a drain on expenses and he or she is always asking for the next shiny widget or saying you can’t do something that will make someone’s job easier and earn more revenue.

From there the road is predictable. It is pretty much as Andy describes. So if someone were smart they would recognize this. Perhaps you are better off coming in as a CISO with a short term mandate to put the process, policies and technology in place and then handing it off to a caretaker and move on to the next gig. I have seen similar business models with CIOs for hire. If someone were smart a consulting type business built around that may in fact be just what the security doctor ordered.