The role of Chief Information Security Officer (CISO) for a business and the role of NFL head coach have a lot in common. Both are responsible for leading teams to victory in a high stress environment and both are constantly under fire from ownership, the media and their opponents. In football, these are opposing teams and in security, they are attackers. But in both cases, the team leader’s job is to find success even as a continuous barrage of highly skilled adversaries does their damndest to undermine their efforts. And in both cases, the margin between success or failure almost always comes down to the quality of the game plan.
The New England Patriots’ Bill Belichick is arguably the greatest head coach in the history of the NFL. He’s got six superbowl rings as a head coach to show for it, as well as approaching Don Shula for the title of winningest head coach of all time. However, even with all these accolades, he is currently on the hot seat in New England. His team is looking ill-prepared to defeat even middle-of-the-pack opponents for the second year in a row and it’s looking unlikely the Patriots will have a chance at playoff contention.
So what changed? Without getting into the minutia, the short answer is: over the past 20 years, the landscape has changed around him and he has failed to adapt.
Breaches Often Equal Leadership Changes
This is the primary lesson for CISOs in the modern era. The cyber threat landscape is constantly evolving — the field of skilled attackers and their targets expands while regulatory agencies tighten down on what constitutes compliance. This means that when the game plan fails, often CISOs take the brunt of the fallout, just like head coaches do in football. In the midst of this onslaught, CISOs end up being the face of their security program, as well as its successes and failures.
You probably remember when the credit reporting agency Equifax suffered a massive data breach in 2017, exposing the sensitive information of millions of individuals. The company faced severe criticism for its handling of the incident, including delayed disclosure and perceived negligence. Following the breach, both the CISO and the CIO resigned from their positions.
But there are seemingly unending examples of the same phenomenon. In 2014, we saw the Target supply chain breach lead to the ousting of multiple executives including the CIO and CEO. In 2015, JP Morgan’s CSO and CISO were reassigned to new positions following a breach that leaked 83 million US accounts. In 2019, Capital One replaced its CISO after attackers stole their personal information of 100 million customers.
These are just some of the more prominent stories, but this story repeats itself all over the business world many times a year.
What Are The Effects of the CISO Carousel?
You’ll frequently hear football fans and analysts refer to the coaching carousel. When a team’s season takes a turn for the worse, they replace the regime that oversaw that turn. However, there is a limited number of experienced coaches available. The effect often ends up being that teams in turmoil are simply trading around the same coaches in a big circle. The same exact effect can be found in the security industry.
Many would argue that it’s unfair to lay all the blame at the CISO’s feet after a data breach. CISOs face massive amounts of pressure which can lead to burnout. Meanwhile, just because the quality of a program doesn’t immediately turn around when a new leader takes over does not automatically mean they were wrong for the job. Massive structural changes and instant gratification rarely go hand in hand.
Hindsight is 20/20 and frequently, decisions that seemed to make sense in the moment can still go awry, easy as they may be to question by monday morning quarterbacks. Additionally, implementing a new CISO’s vision may take some time — often longer than that CISO’s tenure ends up lasting. This pattern of constantly pivoting strategies can result in a frankensteined program made up of tiny components of many different plans. Such lack of cohesion creates gaps in security and actually raises risk of a compromise. The solution then to the CISO carousel becomes that boards must view security as a team sport rather than a blame game.
How Can CISOs Stay Above the Fray?
It’s never quite so simple as to blame a leader of a team for its successes and failures. Most teams have a complex network of interplaying components. While it is the leader’s job to ensure these components are working well together, it’s not always 100 percent the CISO or head coach’s fault when things don’t go according to plan.
However, as the leader of the team, it is important not to get stuck in your ways to the degree that you fail to adapt to a changing landscape. We’ve seen numerous incidents over the years in which companies and their security teams failed to recognize a new threat, or failed to act on a known one. In fact, research from IBM found that companies who experience an identity-related breach have an 83% chance of experiencing another.
So job number one for any CISO looking to avoid the carousel must be to adopt a proactive approach. If a breach occurs, it’s immediately time to triage the situation and make changes. Remember, just like football, the security game is an arms race. And in both arenas, winning often comes down to the preparation and quality of the weapons with which a team is provided.
Leveraging enhanced tooling and automation is a great way for CISOs to take the pressure off of both their teams and themselves. Using Waratek to implement immutable application security rules is an excellent way to massively reduce the risk of a breach on day one. These security protocols are implemented and integrated automatically during the development stage, eliminating entire classes of java vulnerabilities for the application’s entire lifespan.
You’ll constantly hear that the best defense is a good offense, and that remains true in security too. The proactive nearly always triumph over the passive. That doesn’t mean you have to spend 20 hours a day at the office or come in on holidays. What it means is to constantly be improving your team’s output, even if the big breach we all fear hasn’t happened yet. You can implement automation and guardrails to accomplish that. So grab your white board and start fiddling with the x’s and o’s. The best time to get proactive in the java security arms race was yesterday. And the second best time is today.
To get started enhancing your java security playbook, click here.