Being a CISO is a tough gig. The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small. But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response. For some CISOs, it may feel like High Noon, all over again.
This is unfair to the CISO, and wrong on at least two counts. First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control. Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.