As follow up to my thread asking if "security" is a profession.

In the tweet from @UK_Daniel_Card one of the discussions was around what impact a CISO has (reporting to CIO *or* direct to CEO, whatever).

Again, I don't think I have a good answer. https://twitter.com/tazwake/status/1317922910661713920

If you are a CISO, I am sorry for saying this, but often the impact a CISO has is almost non-existent.

A lot of the time this is because it is not really a board-level C role, its a subordinate to a real board-level C-exec (CIO normally). This is sadly common.

Side note - when I say the impact is non-existent, I don't mean the CISO is personally useless. I mean they can't really move the organisational dial very far. They can give advice, but it's effectively the same as me turning up and telling them to do things.

Now compare and contrast this with Finance. The CFO carries some weight in an organisation. Circling back to my previous thread, the CFO is likely to be considered a professional with formal education in their field.

Is this significant?

I think it is.

Now, clearly not every C-level exec has a professional background or formal education (I am looking at the CIO here), but it certainly helps with organisational respect. Legal/Finance are, in my experience, always formally qualified.

Most of the time marketing and HR also have a generally recognised formal education.

Security (and almost as often IT) are really the only place where self-taught is widely accepted as the educational requirements for a C-level executive.

Reminder - I am not advocating for more gatekeeping here. We have enough foolishness with that already. I am also not saying $cert is the solution. Most of them suck in this respect.

We know security struggles to be properly respected in organisations (lip service is easy). At the same time we bring a cottage industry of self-taught people with mixed levels of competence/knowledge to the table and wonder why we aren't respected.

I *truly* believe that security needs its own C-Level executive, but until we solve the professionalism problem, even if organisations do put security on the board it won't matter. Security will always be an uncomfortable presence there.

A common example is how even C-Level security executives spend their lives balancing out business objectives. The CFO has the moral authority to set budgets. Legal have the moral authority to set requirements. The CISO, however, is busy winning the others over.

For better or worse, today, security succeeds with leaders who can influence and engage the rest of the board. We have to do this. Is it because security is seen as the unwelcome, *unprofessional*, self-taught, CTF playing board member?

I've been to conferences for senior legal, HR & financial executives. Zero time is spent talking about how they can win over the CISO to support their plans. Yet here, in security, we have to win them over.

This may change one day, but not today.

Again, I have no answers - or even ideas on how to answer this problem. We have to go with the cards we have been dealt with right now.

I do believe that if security *was* professional, this problem would be minimised, or even eliminated.