Anatomy of a CISO

Applying the law of averages, the chances are that the vast majority of the information security professionals reading this have yet to gain the title of Chief Information Security Officer. That doesn’t mean that you don’t aspire to the job, or that you are not entitled to be a little intrigued by just what a CISO is, what they do and what it takes to become one...

An Average CISO?

Jill Knesek is the 45-year-old chief information security officer with BT Global Services in the US. If you are one of those folks who believe in stereotyping, then you will have already noticed that Knesek, being neither a man nor an old one for that matter, does not match many people’s notion of a typical CISO. Indeed, some might argue that there is no typical CISO genetic blueprint. Which is not to say that members of the CISO club do not have certain characteristics in common with one another, not least the ability to thrive in a challenging working environment.

When we asked Knesek what the most enjoyable part of the job was, her response was fairly typical. “I truly enjoy the challenges that come with my job”, she says, enthusing that “there are so many things to constantly think about and be aware of that there is never a dull moment. I have never been quite so challenged as I have been in this role”. By which she means everything from the long-term vision that is required of those day-to-day management decisions that have what she calls “potentially huge ramifications”, to the relationships that must be built between a CISO and the corporate hierarchy in order to navigate the approval process to get a project from idea to innovation.

No Quiet Life

Knesek told us of her love of the mentoring she is able to provide to her team “in hopes of inspiring them to one day become a CISO themselves”, adding that while “mentally fatiguing and physically trying” she is always “amazed at what we are able to achieve”.

A quiet life and security management at this level do not go hand in hand, and a quiet life and Ed Gibson are not often uttered in a single breath either. The former chief (cyber) security advisor with Microsoft came hotfoot from 20 years as a special agent with the Federal Bureau of Investigation, including time spent as unit chief of the Investigative Technologies division at Quantico.

In his Microsoft role, Gibson concentrated on being the link between Microsoft and industry specialists, government and academia, law enforcement and commerce. The need for a CISO to be a people person is underlined when Gibson told us the hardest part of the job was addressing internal administrative tasks. “I want to be with people”, he says and when internal admin responsibilities take away from that, Gibson candidly reveals he “find[s] it sometimes intolerably frustrating”.

Indeed, Gibson always made a point of trying to “talk with at least one customer a day”. And if you have not yet grasped that Gibson thinks that CISO and ‘people person’ are interchangeable terms, how about the fact that he told Infosecurity that customers were very much his first priority and that he would “spend as much time as necessary to help them”, either personally or by delegating to someone inside the company with the requisite credentials.

Aiming at a Moving Target

For Jill Knesek, one of the hardest parts of her role is dealing with all the regulatory requirements that come with having any business, let alone a global one. “Data protection seems to be a moving target at times” Knesek admits, adding that while it is difficult enough to solve the issues in the US alone, “when you have to worry about Europe, Asia, Latin America, Middle East and Africa as well it can really become quite complex in our borderless information society”.

You might be forgiven for thinking that this complexity would not be eased any by the passing of time, but Knesek disagrees and told us that “from a personal perspective it becomes easier because every issue you deal with better prepares you for the next one coming down the line”. Indeed, Knesek insists that every relationship built and fostered “provides a network of people that you can turn to for future issues”. That said, she also admits that “the inconsistencies with data protection laws is making this role much more complex and in some cases nearly impossible to comply with”. The problem, Knesek reckons, is that “data does not travel geographically the way laws are written, so until regulatory language catches up with our borderless information network, the role of the CISO will become more complex and require a more diverse background across IT, legal and business functions”.

Social Security Benefits

Knesek is certainly typical of your average CISO in displaying a solid work ethic. When we asked her how much time she puts in during an average working week, she told us it was around 60 hours “if you don’t count all the times I check my BlackBerry over the weekend while watching TV and eating meals”. Ed Gibson told us he worked around 12–14 hours a day in his Microsoft role, and most weekends for good measure.

Of course, it’s not all work, work, work for your average CISO, so how do they wind down? Gibson admits he probably travels more than some company insiders think necessary, but argues “personal contact is ever so important to how I work. Live meetings are fine in their place, and email is quick, but there is nothing more important to good customer relations than 1:1 or 1:few”. He doesn’t socialize much beyond coffee breaks, but does love to go skydiving in Spain as often as his bank account allows.

Knesek, on the other hand, doesn’t get to socialize with her peers a great deal, as they reside in a different country: she is in California, but BT is headquartered in London. However, with a global team covering nine countries and four continents, there is an opportunity for travel, and Knesek spends about 25% of her time doing just that.

Getting Inside the CISO Mindset

The average CISO tends to have bigger-than-average headaches, especially with the economy and changing information security threatscape to deal with. Many are worried about the economic or threat-based risks driven from the financial stability and economic risk placed on company, customers and supply chains. The impact that the recession has on the CISO role could be summed up quite simply as: do more, with less.

Knesek admits that the recession has forced all parts of the business to become more cautious and required an evaluation of business processes to ensure the company remains the most cost effective and efficient that it can be. “Where we may have employed an additional person we are now trying to determine if technology or process improvement can fill the gap” she told us, adding “a recession like this is much like a pendulum swing where the lessons learned can be painful and not fade away as quickly as expected”. That said, Knesek also believes that IT security has “remained a bit immune from the full impact of this recession”, not least because “the price for under-investing in this area normally far outweighs the budget requested”.