'Cyber security is a dark art': The CISO as soothsayer

TL;DR

This paper explores the CISO role as a modern-day soothsayer, revealing how cybersecurity's mystical perception influences organizational identity and the precarious, sometimes alienating, position of CISOs.

Contribution

It provides an interpretative analysis of the CISO role using sociological and ontological security theories, highlighting its mystical, belief-system nature and organizational implications.

Findings

Cybersecurity is perceived as mystical and unknown.

CISOs act as modern soothsayers for management.

The CISO role is precarious and can lead to alienation.

Abstract

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term `cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.