CISOs and organisational culture: Their own worst enemy?

Many large organisations now have a Chief Information Security Officer (CISO1). While it may seem obvious that their role is to define and deliver organisational security goals, there has been little discussion on what makes a CISO able to deliver this effectively. In this paper, we report the results from 5 in-depth interviews with CISOs, which were analysed using organisational behaviour theory. The results show that the CISOs struggle to gain credibility within their organisation due to: a perceived lack of power, confusion about their role identity, and their inability to engage effectively with employees. We conclude that as the CISO role continues to develop CISOs need to reflect on effective ways of achieving credibility in their organisations and, in particular, to work on communicating with employees and engaging them in security initiatives. We also identify a key responsibility for effective CISOs; that is to remove the blockages that prevent information security from becoming ‘business as usual’ rather than a specialist function. For researchers, our findings offer a new piece of the emerging picture of human factors in information security initiatives.