Abstract
The employment of a Chief Information Security Officer (CISO) is common in commercial businesses. However, the purpose of the CISO role is not well understood. This thesis provides in-depth perspectives on the CISO role, and, in so doing, brings to the fore a nuanced understanding of its purpose and surfaces the experiences of those performing it.
The thesis is grounded in an in-depth study of 18 UK-based but predominantly multinational organisations. It utilises semi-structured interviews with 15 CISOs and six senior organisational leaders, as well as an analysis of each organisation’s annual report.
Through the application of empirically-grounded sociological theories to an interpretation of the findings, the thesis makes theoretical, practical, methodological, and empirical contributions. These include employing broader security scholarship related to ontological security and sociological notions of identity work to determine that cyber security plays an important role in business identity, being both threat to, and constituent of, that identity. It shows that the CISO’s own identity is conflicted and contradictory and proposes a metaphor of soothsaying that provides further insight. By applying analytical lenses of risk management and governance, it shows that the CISO represents an attempt to control cyber-security uncertainty, and highlights paradoxes relating to the role that the CISO plays in risk management. Further, it introduces the concept of recreancy to cyber-security practice.
Cyber security is also explored in wider societal contexts, with the work of Thomas Hobbes used as an analytical lens. This indicates that cyber-security practices within businesses are beneficial to the state and shows that cyber-security threats are survival-level concerns feared by both states and businesses. Reflexivity in relation to the complex and enmeshed nature of cyber-security practice within broader society is also motivated by the thesis.
The thesis concludes with considerations for future work that have been provoked by this research.
The thesis is grounded in an in-depth study of 18 UK-based but predominantly multinational organisations. It utilises semi-structured interviews with 15 CISOs and six senior organisational leaders, as well as an analysis of each organisation’s annual report.
Through the application of empirically-grounded sociological theories to an interpretation of the findings, the thesis makes theoretical, practical, methodological, and empirical contributions. These include employing broader security scholarship related to ontological security and sociological notions of identity work to determine that cyber security plays an important role in business identity, being both threat to, and constituent of, that identity. It shows that the CISO’s own identity is conflicted and contradictory and proposes a metaphor of soothsaying that provides further insight. By applying analytical lenses of risk management and governance, it shows that the CISO represents an attempt to control cyber-security uncertainty, and highlights paradoxes relating to the role that the CISO plays in risk management. Further, it introduces the concept of recreancy to cyber-security practice.
Cyber security is also explored in wider societal contexts, with the work of Thomas Hobbes used as an analytical lens. This indicates that cyber-security practices within businesses are beneficial to the state and shows that cyber-security threats are survival-level concerns feared by both states and businesses. Reflexivity in relation to the complex and enmeshed nature of cyber-security practice within broader society is also motivated by the thesis.
The thesis concludes with considerations for future work that have been provoked by this research.
| Original language | English |
|---|---|
| Qualification | Ph.D. |
| Awarding Institution |
|
| Supervisors/Advisors |
|
| Award date | 1 Apr 2023 |
| Publication status | Unpublished - 2023 |
Keywords
- CISO
- Cyber security
- Interpretive research
- Business and Society