An average CISO Tenure is 17 months. This is why we brought up the burnout issue.
CISO Role Expectations-
Below are the expectations from CISO's and these challenges faced by CISO's can make them fired/quit. Sometimes, they can't bear pressure and responsibilities that are upon on them:-
- Prevent any security risks in an enterprise (Superpower Expectation)
- Budgeting for and justifying a security technology solution, justifying the reason of procurement and how will it help to make the current ecosystem better. They need to give justification to management with the quantitative cost benefit analysis of the procured security solution
- Communicate & drive security in terms of business, communication with decision makers within the organization is one of the exhausting responsibilities of a CISO. Addressing organizational needs are very critical and understanding the threat posed pertaining to your organization is not an easy job. It's always a good approach to use metrics as it is a good way to take information which otherwise is difficult to explain and transform into quantifiable information that board members can grasp easily.
- Getting a good team together with the deserved skills (security skills are way below demand): CISO's should have a good technical team with him, which can help in this big fight. Also, Security team should spend time customize the audit and compliance reports before reporting compliance numbers to the board.
- Difference of Opinion with CIO (the interests vary) but yes, it is expected to be. CIOs and CISOs will always have an adversarial relationship, and that's as it should be.
- IT Security Infrastructure (Scale it from the present condition), as your business grows, the number of end-users increases and hence there is need of scaling the infrastructure.
- Dealing with technology solution providers, choosing the best solution which can map to organization need and existing security ecosystem. To secure the enterprise, the CISO must use tools/security products. Here's a challenge in itself. The number of IT Security Vendors and Products is ever increasing. It's not even robust, a single Google search doesn't give much insight into the numbers of the same. This results in decision complexity increase many folds.
How complex can the decision become?
Technically if we consider the 'decision tree model' (often used in computational complexity), the function is directly proportional to the no. of factors/parameters affecting the decision making. This means, the larger number of vendors, the larger the complexity. And all this is often done in your brain-it's a challenge we probably don't comprehend every day. But that's what a CISO or other Senior Security Officer's brain faces.
For more details on the computational tree models follow the reference link
They need lots of bandwidth to evaluate security vendors. For Example: let's take an example of End Point Protection: According to Gartner, There are 23 Security vendors providing an end point security solution. This is a very tiring job to understand which vendor can best to the organization needs and can be mapped to organizational success.
- Cognizant of Emerging Technologies: With the advanced persistent threats (APT) or malware's, you can't relax even a single second. You never know when you can get a call to pay ransomware, that can put your job at risk. You need to be aware of latest technologies in the market.
- Navigating the procurement process which can never hustle free and can be quite exhausting. There are a number of documents you need to go through & prepare and understanding all the terms & conditions. Also, negotiation also takes lots of efforts as giving a justification of each penny to management also needs to be done.
CISO's are critical in the defence of an organization from cyber-attacks and hence they are expected to overcome all these challenges. They need to figure out the ways of making their job a bit easy. Some of the recommendations are as follows:-
- A good solution provider who helps in supporting CISO to overcome all challenges.
- CISO also needs to be in contact with other CISO's to understand their perspective on emerging technologies.
- CISO needs to explain risk in the form of metrics and needs to customize the audit or compliance reports so that management can understand.
- Needs to be cognizant of all emerging technologies and should be a part of various security conferences/communities.
- Explaining in terms of ROI and Cost benefit analysis for the management while justifying for any procurement.
- CISOs are influencers and they impact everyone in the organization. Therefore, they need to do evaluation of any decision judiciously.
- Having a good and supporting team can make the job easier. Therefore, CISO should also be part of recruiting process because eventually that will help him later