We’ve come a long way from just a relatively few years ago in institutionalizing the CISO/CSO mandate across our respective corporate organizational structures. I’ve written here and spoken countlessly of the imperative for CISO/CSOs being granted equal footing as their CIO and CRO counterparts to maximize operational effectiveness and efficiency, not to mention security resiliency; and if that’s not feasible then s/he should have a dotted reporting line to the CFO or COO.

Beyond that, there is a stark security gap that concerns me—one that is more essential and at the same time easier to fix/employ than senior reporting lines.

I strongly advocate and urgently implore corporate management teams to assemble and build a strong and resilient digital security leadership bench within their respective organizations for dual-effect purposes.

Since the beginning of human warfare, long campaigns—and this cyber war we find ourselves in is/will surely be recorded as the longest ever continuous national security level conflict—have required intermittent and overlapping rest and refit for warring soldiers and their leaders. Pulling the front-line troops ‘off the line’, as it were. The human body, the human mind cannot sustain indefinite and unceasing combat operations on the line—no matter if weighted offensively nor defensively. At some point the solder, the platoon, the battalion, the division will crack, and effective combat effectiveness will fall precipitously.

Good and farsighted commanders have long recognized this; and so individuals and units have been pulled off the line to rest and refit . . . to decompress from hot emotions and prolonged intense focus, to rest and then rebuild mind, body and importantly spirit. Why should the cyber battlefield be any different?  Sure, there is no hot lead flying around; and sure, there are no mortally wounded casualties. But the CISO is indeed fighting a constant onslaught battle…against an insidious unseen digital enemy(ies) who seeks to do harm to their company’s structure, piggy banks and operating strategy…to their professional family.

Intel has gotten better, but it’s still woeful and negligible. Quality staff are short in numbers. Budgets are for the most part tight. Insider threat still prevails. Making matters worse, a certain fool-hearty expectation prevails across many (not all) corporate quarters that cyber is a zero-sum game—that “in hiring a ‘great’ CISO we’ve won”…and thus the associated corollary that any breach automatically equates to bad performance by the CISO. This is both silly and nonsensical. And so, the CISO goes to bed every night with one eye open, thinking anxious thoughts about unknown bad players who seek to do as yet unknown harm on her/his digital enterprise…her/his home.