Here are some quick reads for the week of September 5, 2016. If you have interesting links of your own share them in the comments.

Thoughts on CISOs and IT Governance

“CISO” is still a relatively new executive role and it seems like most companies are still trying to figure out who or what constitutes an effective Chief Information Security Officer. As it stands, it seems like the title CISO falls somewhere between Director of IT and Chief Compliance Officer for most organizations. But instead of being empowered this ambiguity blurs the line of authority and ownership and makes it difficult to run an effective security organization.

I think the roles and responsibilities of a CISO will vary, for the time being, based on an organization’s need and maturity, but regardless of how an organization decides to brand the title CISO the role has to be clearly defined and clear lines of authority established.

I’ve seen a number of organizations hire a CISO with the misconception that one person can make all security and compliance problems disappear, but that’s just not the case. If we’re going to get serious about security the entire leadership has to buy-in (and that includes with budgets). Security has to be a sustainable business process – not a fire to be put out (which is the current climate at many organizations).

Look no further than the number of jobs most CISOs have held in the past 5 years. Average tenure for a CISO hovers somewhere around 17 months across almost all organizations. That fact alone points to something interesting and problematic in the world or information security.