Social Network For Security Executives: Help Make Right Cyber Security Decisions
[Posted on Behalf of Gary Hayslip, CISO Softbank Investment advisor]
Recently, I have written and spoken on the subject of CISO burnout. I have stated my belief that the job is maturing so fast, it's harming many of the security professionals who serve in its varied positions. While speaking about this subject and the importance of self-care for security professionals to manage their stress, I also found another topic that is of great interest to many of us who serve in security leadership roles. This new subject is focused on why the tenure of the CISO position today is so short when compared to our technical peers, the CIOs or other members of the C-suite.
According to research conducted by Korn Ferry (via The Wall Street Journal) on the length of tenure of the top 1,000 U.S. companies' C-suites, the average tenure for CEOs is about 8.1 years, while the average tenure across the entire C-suite was 5.3 years. However, the average tenure for CIOs is 4.3 years. I bring this up because a survey conducted by Nominet Cyber Security shows that a CISO's average tenure is about half that of a CIO. This startling difference led me to explore whether this is because the CISO role is still immature and new to the C-suite or because there's something else we as a community are missing.
At first, I admit I had a preconceived view that it was just CISOs being fired as the messengers of bad news. However, if that were the case, there should be more examples of companies in the press that had been breached and were removing their security leadership teams for cause. I'm sure this does occasionally happen; being a CISO myself, I feel the stress of my executive team's expectations that I will be responsible for the corporate cybersecurity portfolio, and I will lead the organization during any security incident and be accountable for our efforts.
But just because that stress is ever-present doesn't mean I also have a one-way ticket to being removed once an incident is remediated. To me, that wouldn't make much sense due to the amount of time and resources it takes a company to hire a CISO, so I am starting to believe our short tenures may be related to a mixture of different issues.
A research report conducted by the Enterprise Strategy Group (ESG) and ISSA in April 2019 surveyed over 267 global cybersecurity professionals and one of the topics covered was why CISOs change jobs so often. I had approached the short tenure issue from the point of view that it was due to companies removing their security executives. Now through this report, I am starting to see there are multiple pieces to this tenure puzzle.
Companies removing their CISO after a breach is not the only reason CISOs leave an organization. The following are three data points that I found resonated with my peers, and I believe they have a significant impact on why the tenure of today's CISOs is so short.
1. No corporate culture: 36% of the security executives ESG-ISSA surveyed stated that as CISOs, they would change their job when they feel their employer doesn't have the culture that emphasizes cybersecurity.
2. No visibility: Nearly one-third of the security executives surveyed stated they would change their job if they felt they were not being taken seriously and were not actively engaged with the executive leadership team.
3. No resources: 27% of the security executives surveyed stated they would change their job if they felt the budgets were not realistic to the risk associated with the company's size or industry.
These three points demonstrate the CISO short tenure puzzle has a practitioner side where CISOs feel comfortable enough about the cybersecurity job market that they are willing to walk away from a position if they don't think it's right for them. Of course, this doesn't answer all of the reasons the average CISO tenure is so brief.
According to an article published by CSO magazine that featured dismissed CISOs discussing why they were let go, the short tenure problem could be a combination of a good job market and CISOs struggling to mature as business executives. It's the second part about being a business executive that I think leads to many of the business-related dismissals we see, and "firing due to a data breach" is actually just a small part of the overall tenure story.
The CISO role has always been a technical discipline, but due to its increasing visibility, CISOs are now required to be more strategic and business-focused than ever. These new business expectations result in additional requirements, such as:
• Managing budgets.
• Developing and executing strategic plans.
• Delivering practical solutions that support the business.
• Keeping executives informed of current risks.
• Delivering projects and initiatives within prescribed budgets.
Many of these requirements add additional stressors to an already demanding job, and after much thought, I feel the current short tenure of 18 to 36 months for CISOs is correct for a new executive position that is maturing, coupled with a dynamic job market. However, even though I better understand this issue my community is facing, I also believe it should be of extreme importance to businesses.
Companies can better manage their relationships with their CISOs by:
• Accepting them as business executives and including them in meetings where decisions are made. Being part of the C-suite at my previous company allowed me to have a wider view of business operations and note areas where my program could support the business in achieving strategic goals.
• Accepting that cybersecurity is a core business function and that it's a continuous process. It requires a trained executive and annual resources, and companies only get out of it what they put in it.
• Understanding that being a business executive may be new to many professionals in the CISO role due to the position maturing and being accepted as a member of corporate leadership teams. It's best to team CISOs with business mentors from other business units to help them adjust and grow professionally.
Companies invest time and resources to find CISOs, and they need to address this tenure dilemma through mentoring and educating their CISOs just as they would other essential business executives. This approach should help offset the job market effect and hopefully stabilize CISO tenures in today's C-suites.