Spare a thought for the University CISO: ‘As a group, CISOs live on a knife’s edge and do not sleep very well. They know that a breach is inevitable.’ So said William Hugh Murray in an Open Letter to Target CISO Candidates. It may sound bleak but new CISOs who are half way through their first academic year might, however, recognise its reality.
Given the fact that they are responsible for any breach of the University’s defences, being a CISO undoubtedly carries certain implicit risks and pressures. In the wider business world, the Ponemon Institue researchers estimate that the CISO’s average tenure is just 2.1 years and also revealed that 24% of respondents said that being a CISO was the ‘worst job they ever had’. Not the best advertisement for the role, but there is a positive here because in understanding the issues, we have also come to understand the solution.
In essence, the problem is that the CISO job description is changing. It’s no longer enough to be an expert in information technology; the CISO of 2016 is also expected to be a business leader, IT leader, finance leader and an excellent people influencer and navigator. It’s a tall order and one that few have the qualifications or experience to fulfil without additional professional support.
Yet, although the evolution of the role is undoubtedly underway, only a few Universities have also recognised the benefit to be gained from ongoing professional CISO support. Just as the finance department is not expected to function without input from professional accountants, nor the legal department without access to specialist solicitors and barristers, so the CISO benefits from a collaborative relationship with information security specialists whose role it is to support, enhance and resource the CISO function within the University.