Setting clear expectations for the CISO role

If you’ve ever looked at a job description for a company trying to hire a CISO you’d think only superheroes need apply. Organizations have lofty–often unreasonable–expectations for the CISO role. The task is not impossible but it’s crucial for the CISO to understand what the expectations are, make a case against expectations that are unreasonable, and communicate effectively when expectations can’t or won’t be met.

I wrote this blog post about the expectations on the CISO:

You’ve probably heard the phrase “You can’t squeeze blood from a turnip,” before.

The point is that no amount of begging, coercing, pushing, or otherwise coaxing something can yield results if those results simply aren’t possible. Many organizations, however, hand a proverbial turnip to the CISO and expect blood in return.

Executive management or the company board have expectations for the CISO. It’s the job of management—and particularly of the board—to wring every last drop of productivity and potential revenue from the resources available and that includes the CISO. It’s fair for an organization to have high expectations as long as they’re reasonable and attainable expectations.

Setting Expectations
So let’s start there. You have to ensure you clearly understand what is expected of you as the CISO. What metrics will your performance be measured by? What tasks are you required to accomplish and in what timeframe? How much budget do you have available to dedicate to your tasks? Do you have the right number of employees to accomplish the tasks and do they possess the appropriate skills?

These are all important questions to answer because they impact each other in a sort of Venn diagram—the resulting overlap of which are the reasonable and attainable goals. In and of itself a goal to implement two-factor authentication for all sensitive applications and data access is reasonable. If your organization expects you to achieve that goal with a budget of $100 and/or that the task be accomplished by next Tuesday, however, it’s an entirely different story.

Establish clear expectations with your manager—whoever it is you’ll be answering to. Then assess the resources you have to work with. Then you can start to figure out where the overlap is between what is expected and the resources that are available so you can determine what’s reasonable or attainable.

Read the full post on the RSA Conference blog: You Can’t Squeeze Blood From a Turnip.

Comments are closed.

Scroll to Top