Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. In this talk, based on a paper to be presented later this year at CSCW'22, I discuss findings from in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, representing 18 difference commercial businesses. This work employs broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. The findings reveal that the CISO is an interpreter of something mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. I further discuss how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. The study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions, termed `cyber sophistry'. It also discusses a series of implications for both organisations and CISOs.
Joseph is a PhD researcher within the Information Security Group at Royal Holloway, University of London and is performing multidisciplinary research into the purpose of Chief Information Security Officers (CISOs) and cyber-security functions within commercial organisations. He is interested in the broader social dimensions of cyber security and risk management and how they are used to influence society through power and control. Joseph currently works full-time as a CISO.