6 career realities faced by every CISO

Every week, news headlines spotlight cybersecurity challenges. Breaches, phishing, zero-day threats and hacks through IoT devices all feature.

Once a month or so, an unfortunate company is named as they uncomfortably announce an investigation to assess the size and scale of a security issue.

Since the start of 2019, 29 private companies and government organisations have announced some type of data breach across Australia. These aren’t small organisations. These are organisations with security strategies, teams, infrastructure and processes in place, along with budget to fuel the same.

Along with government agencies, the list includes public companies and others who, if not listed, are brands known by the average Australian. Kathmandu, Bunnings, Optus, Big W and the Victorian Government have all made the news this year for some kind of security breach.

(Webbers Insurance maintains a current list of data breaches across Australia. Browse the organisations and the challenges they’re facing here).

With rapid innovation happening across every technology field in the world, cybersecurity threats are becoming faster and more sophisticated. It is no longer a question of if an organisation will suffer a security threat, but when.

The hot seat

The Chief Information Security Officer (CISO) is the executive in the security hot seat. Charged with developing strategies, tools and process to stay up-to-date with ever evolving threat, CISOs also need to mitigate fallout in the event of a breach. They’re responsible for reporting to the Board and C-suite stakeholders on security and risk across a business and for staying aligned to compliance and regulatory requirements.

The depth and breadth of the CISO role is challenging. To succeed, these executives require technical depth and the ability to speak the language of business. They must be able to develop and communicate multi-year strategic vision and manage specific task-based projects week in and week out.

They need to operate at scale, be fiscally responsible and prioritise ruthlessly. They have to transition seamlessly from the Board room to the project management room.

With businesses everywhere prioritising digital transformation, the CISO is also integral to the design, and re-design, of an organisation’s security posture. Oh, and they need to manage teams on a day-to-day basis.

The role is in-demand, demanding, fast-changing and unpredictable.

It might sound logical that, when an organisation hires a talented CISO, they’ll do anything to keep them. However, research shows the average career tenure for the CISO position is between 17 and 25 months.

CISO career realities

Let’s explore some career realities faced by CISOs which determine this relatively short time in role.

• Compensation: The CISO role is in high demand in a market grappling with a shortage of cybersecurity skills. Many CISOs move on when presented with an offer they simply can’t refuse.
• Corporate culture: In this age of rapidly changing and growing security threat there are organisations out there with corporate culture not yet aligned to embrace cybersecurity practices. Given how tough the CISO role is, and how much in demand these executives are, if an organisation isn’t committed to building a security posture, CISOs are likely to move on.
• Empowerment: The best CISOs are business leaders with a technology background. Many will jump ship if the Board and senior executive teams don’t embrace them as part of the C-suite, and treat them instead as the most senior tech head in the organisation.
• Budget: CISOs need to implement innovative technologies to convert security and risk management strategies into action. If the organisation doesn’t prioritise investment to protect their environment, employees and customers, CISOs will be tempted to look for a new role.
• Talent mismatch: There are many CISOs in the market and, unfortunately, not all of them are competent. A genuine mismatch on skills and expectations will typically trigger a job search.
• Breaches: There’s no doubt breaches are a career reality for the CISO. What is doubtful is that CISOs are scapegoats for breaches. As any organisation will appreciate, security and risk is managed by more than one person, system or application. Sometimes a total C-suite overhaul does follow a breach, such as those at Target and JP Morgan. However, the reality is that less than 1% of CISOs depart because of a breach. After all, they are arguably the most skilled and relevant person to respond to the breach and strategise the way forward.

The CISO demand

The CISO role is one of the most demanding position in the security domain. They have massive responsibility to protect an organisation, a feat which is almost impossible to guarantee. While the proliferation of threats from outside an organisation is material, it is often the people inside the organisation whose actions trigger the most damaging breaches. One missed upgrade, insecure process or creative hack is all it takes to make headlines.

When running a search to bring a CISO into a leadership team, remain mindful of the triggers which motivate them to leave. An experienced and skilled CISO is hard to find. Don’t offer them reasons to leave.

If you’re looking to bring a CISO into your team and would value a confidential conversation about the strategy, please contact us here.