“Why CISOs Fail: The Missing Link in Security Management – and How to Fix It” Review
“Why CISOs Fail: The Missing Link in Security Management – and How to Fix It” (2018) by Barak Engel, book reviewed by Ben Smith.
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
Sometimes you pick up a book and find it is a mix of both knowledge and humor. But that irreverence is sometimes a marker for irrelevance – in other words, the humor is being deployed to mask a lack of knowledge. Overdo it, and would-be comedians seriously risk losing their readers.
That is not the case with this excellent, and short, book. The author brings practitioner-level knowledge, supported by many real-world stories, to this topic focused primarily on CISOs (chief information security officers).
If you pick up this book expecting confirmation that a strong CISO is the most technically adept employee focused on security in a given organization, you won’t find that confirmation here. Because it is not true. A strong CISO may not be a technologist in the classic sense. And the entire book – deliberately light on technology – is structured around this truth.
There are many different hats a CISO should wear today or aspire to wear in the longer term. As discussed within the book, a successful CISO is a translator of business requirements into technical solutions; a business partner to all departments; an active participant in the due diligence process during mergers and acquisitions (M&A); an uncredentialed psychologist and diplomat; and a key member of the customer-facing sales support team. And more!
There are actionable ideas throughout the entire book. For example, the author includes two pages of questions to ask your cloud-based SaaS/PaaS vendor – but these questions are less about “checking the box” to confirm that certain security controls are in place with your third-party vendor, and much more about gaining insight into the mind of your vendor. If you have a solid sense of how your vendor thinks about security and risk management holistically, this can be far more valuable than simply knowing they have agreed to implement specific controls within their environment.
Some of the advice in this book, especially when read by an early-to-mid-career security worker, may come off as counter-intuitive. If part of your job is working with the third parties mentioned above – perhaps you are a member of a team writing questions or reviewing responses to an RFP (request for proposal) where your organization is soliciting products or services – the concept of not being overly prescriptive with your vendors may be completely foreign to you and your organization. And, if you’re on the answering end of an RFP exercise, you should always answer every question, right? Well, no – not always, especially if you recognize a specific question as one which really must be addressed and discussed live. Hint: only a CISO who has already built a relationship with the sales team can successfully pull this move.
In fact, “relationship builder” is typically not found in the job description of today’s CISO, but it’s an essential job responsibility which some new CISOs may under-prioritize. If you want to be the CISO that doesn’t fail in your new job, it’s not just the sales team where you want to establish a relationship built on trust. You need to recognize early on that working with your legal department almost always means you’re working on their terms, not yours. You want to get to know your financial and operational executive peers, usually the CFO (chief financial officer) and COO (chief operations officer), especially if you’ve arrived at your job with little financial training and business operations exposure.
By far the most important concept I found was explicit acknowledgement of the conflict between security and the business. Security teams are too often viewed as obstacles to the business, and this can lead to a vicious cycle of deliberately leaving the security team in the dark about some projects until the end of the decision-making process, when it may be too late for anyone to stop the rolling train. Even if the CISO is the only one who sees the bandits ahead on the tracks.
A successful CISO is someone who realizes this conflict exists – a gap which must (not should) be bridged for long-term success of the organization. Understanding the business context of decisions, of the corporate strategy, makes any CISO a better judge and contributor to that business. In fact, the author goes one step further and suggests that the CISO and the security team is not just the protector of a company’s brand, but can help strengthen that external brand and in doing so, help the company grow – a line of argument that a purely technically-focused executive might never consider.
Who should read this book? Just because it is not recommended for the Cybersecurity Canon Hall of Fame – by design, this book is very specialized in focusing on a single role within the broader cybersecurity universe – doesn’t mean it’s not a recommended book for other audiences. Yes, if you are a CISO today, you should read this – especially if you are new to either the role, or the organization.
But there are several other less obvious audiences who can benefit from this book: any information security manager thinking about a future move into executive management, especially someone who is today an operations-focused leader who doesn’t (yet) see or appreciate the broader risk management view and business context of the CISO role. An individual contributor (someone not in management today) thinking about a leadership role may find this less useful, but still full of good areas to keep in mind as your career progresses. The widest potential audience: anyone working in information security, at any level, who has experienced the “security vs. business” chasm and wants to close it.