Are successful CISOs good or just lucky?
A while ago I noted how information security is probably more like poker than craps because there's more than just chance involved. Recent research (PDF) by Steven Levitt and Thomas Miles seems to indicate that this is actually true. They found that more successful players tend to win more at poker than average players do. That's something that you wouldn't expect to see in games that were just games of chance.
But not all successes that we might think of as being due to skill are really due to skill. Some research has suggested (PDF), for example, that the performance of successful mutual fund managers is more easily explained as good luck instead of a higher level of skill or superior knowledge.
What about CISOs? Do successful CISOs have superior skills or knowledge that significantly affect the performance of their organizations? Or are they just lucky?
I haven't seen any research that tries to answer this question, but I'd guess that the element of luck is getting more and more important. Today's software is extremely complicated, and with that complexity comes all sorts of bugs, some of which affect security. And because all software has bugs, it's probably possible for a clever hacker to find them and exploit them in any software. You might be able to find strategies that minimize your chance of hackers finding and exploiting them, but the chances of this happening never drops to zero. This means that no matter how good a CISO is, there's always a chance of their systems being hacked. And because the chance of being hacked is always there, maybe it's more luck than CISO skill that determines whether or not a particular business gets hacked.
And because so many decisions are now made for compliance reasons instead of a CISO thinking that a particular strategy is good, I wouldn't be surprised if the affects of chance are getting greater and the affects of CISO skill are getting smaller. And because software is likely to get more complicated in the future and regulatory compliance is likely to become a bigger factor in information security strategies than it is now, it might also become more and more difficult for good CISOs to make a difference in the future.