I recently finished a trip where LBMC hosted about ten regional CIO’s and CISO’s for dinner to create dialogue around HITRUST, cybersecurity, and privacy. We had a great time talking with new and old friends alike about HITRUST CSF. However, the conversation became very serious among a small group: one was a new CISO, one who had been in a new job for little over a year (“experienced”), and one who is an industry veteran in cybersecurity and had been in his role for over two years –and was soon leaving. The new CISO, wide-eyed, and excited about his challenges, asked for advice. The “experienced” CISO and “veteran” CISO offered that he should get his budget set right away. He was also encouraged to get a trusted team in place. The experienced CISO was feeling the burn. His budget wasn’t in line with what he needed, and he was losing sleep over what he didn’t know. And the “veteran” shared his experience with a breach, and the feeling of lack of support after having gone through the same phases as the new and experienced CISO.
As the evening progressed, my seatmate at dinner was a distinguished attorney with robust international compliance and privacy experience now in the role of a privacy officer. There is no question that she understands how important security is, and having proper documentation for any incident – federal, state, customer, etc. And she certainly understands there is a difference between security and compliance. In the relaxed environment of dinner, she tells me she’s tired of hearing “not now” by the board in response to implementing the tools she needs to do her job. Not surprisingly, the entire table of CISO and CIO’s hear this plight. One CISO adds, “The average tenure of a CISO is two years.” Another CISO said, “And, we are just scapegoats.” And then, yet another, “I’m 1.5 years, and just got turned down on my budget. I suppose I’m next.” It struck me that this group all faced the same challenge toward budgeting, and lack of support was the underlying cause of their anxiousness.