Is it time to look elsewhere?
Everyone knows that cybersecurity is a red-hot career field, and chief security officers (or chief information security officers in many organizations) are the ones leading the online security defense. So how can we explain the current situation where about 24 percent of Fortune 500 CISOs last just one year, according to Cybercrime Magazine?
Digging deeper, the average tenure of a CISO is just 26 months, according to ZDNet.
But why? What happens? Or, what does not happen?
Of course every security leader’s situation is unique. Still, there are certainly trends occurring that go back more than a decade. So what are the most common patterns, stories, incidents and relationship problems?
The conventional wisdom says the reasons that CISOs lose their jobs is that when a data breach happens, the top cyberleader becomes the scapegoat. Indeed, this CSO Magazine article outlines seven security incidents that cost CISOs their jobs: “According to Radware’s 2018 State of Web Application Security report, 23 percent of companies reported executive firings related to application attacks. U.S. companies were more likely to say execs were let go after an incident, as were companies in the technology or financial services sectors.”
The list of headline-grabbing incidents includes trouble at Capital One, Equifax, Uber, Facebook, Target, JP Morgan and San Francisco State University. There are certainly other examples of the same in federal, state and local governments.
The same article goes on to say that security incidents can be a good thing, if you keep your job. After a major security incident the team often gets resources and support to fix problems. Also, stress is usually lower over time.
Nevertheless, it is difficult to know the real numbers of data breaches leading to CISO firings, because most of this data is reported in surveys, with many details never being reported. For example, “less than 1 percent of CISOs are actually fired, though 12 percent believe they would be dismissed because of a breach, according to a 2015 IDC report.”
Other sources, via anonymous interviews, “recall occasions where their firm’s CISO was dismissed for poor reporting, exceeding their budget, not following business strategies or even spreading FUD (Fear, Uncertainty and Doubt) — rather than delivering practical solutions to these same problems. It was, as one CIO remarked, a case of the CISO ‘talking the talk, but not walking the walk.’”
A few years ago, The Seattle Times reported that “as hacks soar, tech honchos are the first to get fired, and then rehired.”:
“Being a CISO means keeping that résumé polished,” said Chase Cunningham, a security and risk analyst at Forrester, a technology-research company in Cambridge, Mass.
“It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come, even though it’s a guarantee that [they] will happen at some point,” Cunningham said.
For those caught by headline-grabbing breaches, job security may be shaky. But a shortage of experts in cybersecurity is such that landing another job is nearly assured. “It’s not hard to get another job, as there are plenty of them out there,” and honestly it’s “good” if you have been through a breach, but it sure isn’t painless, Cunningham said.
In this LinkedIn post, Simon Legg, CISO at Hastings Direct, wrote emphatically that CISO’s should expect to get fired:
You may agree with this or not, and you may think the statements trite and without detail, but heck, let’s hang this out there … in my view as a CISO, or indeed a chief information risk officer, you have to do four basic and foundational things:
- Really understand the risks to your organization and where you sit against those risks
- Educate the board, the management and the people in the organization
- Provide pragmatic solutions and choices to the board, the management and the people in the organization
- Beat the desk and beat it hard if you think there is unnecessary obstruction when it comes to dealing with the issues and making progress
In my view, in the event of a major event or incident, if you fail on any of the above you should not only expect to get fired you should hold up your hands and take responsibility. If actually you have done all the above and still a significant event or incident happens … then the reality is you may still expect to get fired or at least accept the possibility of being fired.
And one more: Alert Software offers us their top five reasons CIOs get fired. At the top of this list is security breaches. This is the story of what happened to former Utah CIO Steve Fletcher, who was a top state government leader at that time with numerous awards.
Why Address This Topic Now?
You may be wondering: Why is Dan Lohrmann bringing this up now?
No, I did not get fired. Yes, I am still the CSO and chief strategist at Security Mentor.
But I have seen several friends, respected colleagues and trusted industry expert CISOs and CSOs move on in the past year, before the time “seemed optimal” in my opinion.
Without getting into personal details, I want to list a few reasons that CISOs are moving on. I see re-occurring patterns in the public and private sectors right now beyond data breaches or headline security incidents like ransomware.
1. Change in top company or government leadership. There was a time when security leaders were so far down the org chart that a new governor, mayor, CFO, CIO, CEO or other CxO would rarely affect the CISO role. No longer.
More and more security executives are reporting to the top of the org chart — which is a good thing. However, when these people change (for whatever reason including an election, poor performance or normal turnover), the new leader often brings in their own team. More and more, these teams include a trusted CSO or CISO that is a known entity to the new boss. On some occasions it takes the new leadership a year or more to get their entire new team in place, so after the current contract ends with the CISO, there is no renewal.
2) Differences in technology security philosophy, including resources allocated for cybersecurity. As I have written on many occasions, I have never seen any executive say (in either public or private) “I don’t support cybersecurity.” This would be a major mistake and career-ending move for any serious executive leader. It would also be seen as a sign of incompetence, almost like saying, “I don’t believe in weather.”
However, savvy CISOs quickly discern whether their leadership are truly serious about protecting the organization’s digital assets. Do they walk the talk? Truly support our efforts? Allocate needed funding and other resources?
Competent security leaders know that things will not end well if they don’t get real support. Some leave as soon as another opportunity arises if they feel that management is not serious about cybersecurity.
3. Personality conflicts. Beyond these first two points, I know of several CISOs that just didn’t get along with their bosses, so they eventually left. As many studies have shown across diverse roles and industries, most people put their relationships at the No. 1 job satisfaction criteria, and manager relationships top that list.
Back in 2018, I wrote this piece on how to evaluate (or grade) security and technology leaders over time. The key article focuses on relationships all around CISOs, which of course are impacted by incidents and events on the ground at work.
In 2019, I wrote this piece on how CISO expectations are becoming impossible to achieve.
And yet, CSO and CISO turnover is still alarmingly high — and higher than in many other technology leadership roles. As many have pointed out, burnout, work-life balance, stress, the changing cyberlandscape, relationships and, yes, data breaches, all contribute to the challenges security leaders face.
Make no mistake, CISO longevity and organizational cyberdefense success are both at stake. I hope this analysis can help CSOs think about these factors before they take their next leadership role.
Never miss a story with the daily Govtech Today Newsletter.