“Many CISOs live day to day under the sword of Damocles”
A controversial quote to begin with, I admit. However, in the past few years, data breaches have become more prominent, impacting businesses, governments, healthcare, and even hairdressers! There is no let-up in sight and business leaders must pay attention to the cyber risks they face.
The Chief Information Security Officer (CISO) has become the focal point for all cybersecurity questions from the board of directors, shareholders, auditors, regulators and the media.
The role of the CISO is also a challenging one to fill. This may be due to a shortage of highly experienced available professionals combined with a significant interest in these positions due to their high salaries and prestige in the marketplace. The average CISO tenure varies depending on which industry analyst report we are to believe. In 2013 the Ponemon Institute suggested the average was 2.1 years. In 2015 LinkedIn considered it to be 4 years and CIO Magazine estimated it to be 17 months. Averaged together, these estimates predict a tenure of 2.5 years, this has sometimes been referred to as a CISO carousel or merry-go-round. Even this may be optimistic, given the emerging trend of offering CISOs 1-year fixed term contracts, possibly due to limited expected tenures or broader uncertainty about the scope and responsibilities of the role.
In 2016 the Information Systems Security Association (ISSA) published a research report on ‘The State of Cyber Security Professional Careers’, which examined the reasons that CISOs leave their roles. It showed that:
- 31% said CISOs leave when the organisation does not have a culture that emphasises cybersecurity
- 30% said CISOs leave when they are not an active participant with executive managers or the board of directors
- 27% said CISOs leave when they are offered a higher compensation package at another organisation
- 23% said CISOs leave when the cybersecurity budget is not commensurate with the organisation’s size
- 22% said CISOs leave when the IT organisation ignores or minimises cybersecurity as part of its planning and decision-making process
Whatever the reason for CISOs leaving (or any other leadership role for that matter), succession planning is critical to maintaining leadership stability and shareholder and workforce confidence.
Deloitte also highlights the importance of considering both CISO succession planning and developing others who can represent the CISO. These individuals should be identified early and cross-trained across all day-to-day business aspects that a CISO deals with.
Those CISOs that have remained in their roles for longer periods often put their longevity down to some of the following factors:
- Working close to the C-Level to understand how they operate, their requirements and what factors can support their success. This interaction needs to be a regular occurrence, not only when things are going awry.
- Understanding their stakeholders and how their business operates. Knowing and managing the strengths weaknesses, opportunities and threats of the business to be able to make decisions efficiently with conviction.
- Developing a strong internal network of allies. Identifying the astute individuals across the organisation that can support them and reciprocate favours when called upon.
- Coaching and mentoring their direct line of reports to delegate activities and act as trusted advisors in their absence and identify a clear deputy.
- Continually adapting, gathering information, learning and developing new skills to improve their knowledge of the business, the industry they operate in and the information security domain.
- Building trust and respect by engaging with impact, delivering reliable, sharing successes with the business and acknowledging the team members and colleagues that have supported delivery.
- Sharing experiences and knowledge with peers and industry thought leaders.
- Developing resilience is critical. It takes thick skin and resolve to be a CISO.
Therefore, while some CISOs may feel there is a sword hanging above them it won’t always be this way as organisations mature their security posture, build awareness, culture and behavioural changes in their workforce. In the meantime, I would recommend that boards and CISOs work together to ensure a smooth transition in the event of an early departure from the merry-go-round.