As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.
The “human factor” has become a key discussion point in the cybersecurity community. In an industry that has historically arguably focused more on tech than people, the humans behind both threats and security have been sorely overlooked. Even the CISO, the conductor at the head of every security team, has been an elusive figure.
Over the past 12 months I have been told countless times by CISOs and security professionals that this resonated with them and their personal experiences. Having to balance the responsibility for fighting increasingly sophisticated threats and communicating their business case effectively to the board, has put them under strain.
Let’s face it: being a CISO is not an easy job. To be successful in the role requires a lot of support from executive leadership and integration with the rest of the business. Too many organizations fail to understand this and find themselves stuck with a revolving door of cybersecurity nomads.
Never off-the-clock
Getting the board to understand the return on security investments can also be an uphill struggle. This results in fear and stress among CISOs who are fully aware that their current security solutions aren’t sufficient and are working all hours to protect the business. The weight of this responsibility means it’s not uncommon for CISOs to find their personal lives hugely affected by the stress.
The high-pressure nature of the CISO’s job isn’t totally lost on the C-Suite, CISO’s believe their security team to be moderately or tremendously stressed. However, boards consistently underestimate the personal impact of workplace stress on their security team.
Hackers don’t choose their hours and this tends to ripple into security teams and their leaders; you are never truly ‘off-the-clock’.
CISO Vulnerability
CISOs can feel very vulnerable and lonely in their roles – it can be seen as a thankless job. They are also at moderate risk of becoming the immediate scapegoat if a security breach occurs, even though it’s highly unlikely that the fault was directly theirs, especially if the root cause was underinvestment, poor culture or poor business-risk choices.
Regarding responsibility, there is a noticeable difference between the CISO and CIO (chief information officer) when a cybersecurity incident occurs. “How many CIOs lose their jobs when an organization suffers a major outage?” The answer is not many!
Affecting mental health
88% of CISOs feel moderately or tremendously stressed dealing with their high-pressure, high-demand and high-stakes job. A large part of CISO churn is due to frustration with progress.
Many CISO activities are long-term, iterative improvement programs, solving fundamental problems that were never addressed properly, with the occasional firefighting thrown in for good measure. It can be challenging to feel a sense of accomplishment without stopping to deliberately take stock.
The churn becomes a bigger problem when each new CISO demands a reset of strategy, priorities, and commitments, with old roadmaps torn up and new ones established. While a refresh of strategy and roadmaps is often necessary, with CISO churn rates of less than two years, it also means you never get to the bottom of some of the more fundamental security challenges.
Lack of business commitment
Where I’ve seen CISOs have short tenures, it’s often because the business isn’t fully committed to security as an ongoing program of work.
A lot of CISOs are really at the mercy of the product and technology teams who prioritize and implement security fixes, and quite often, the prioritization of those fixes are either not well understood or well communicated. This can lead to security teams finding themselves responsible for security events that they not only foresaw but that they actively lobbied to fix.
I believe it’s this pressure that causes many CISOs to feel like they don’t have the right level of influence within their organization to be effective and successful in their role. So, ultimately, they choose to leave.
“CISOs require accountability and authority to be effective, not just accountability.”
The success of your CISO very much depends not only on the financial investment in their function but also the support from their peers across the business.
Stopping the Churn
So, is there anything businesses can do to help stop the churn? When it comes to employee retention, there aren’t really any shortcuts.
Principled leadership, inclusive cultures, accessible and empathetic support, and openness around mental ill-health are all fundamental factors for creating engaged, healthy and happy cultures, particularly at a C-suite level. Employers can take practical steps to support these areas among their workforce and provide tools to help them nurture their own mental health. But the problem of high churn rates among CISOs won’t go away until businesses tackle the root causes of unhealthy levels of stress head on.
Regulators and governments should continue to reinforce with business leaders that the buck stops with them when it comes to security and risk management, and ideally legislation should support the CISO in being fully effective in their role and not the sacrificial lamb.
CISOs to spend more time connecting with and getting the support of the business. Ideally, too, those holding the purse strings should give the CISO the headcount and bandwidth they need to do their job effectively: finance, people, tools and resources. But, in return, CISOs should be more articulate about their vision statements and be able to express these in language that resonates with the board. And if they can, CISOs should recruit people into specific leadership positions within the security team, and trust and empower them.
Embedding change and improvement requires a consistency that could be lost with a regular ‘changing of the guard’. Businesses need to therefore ensure that CISOs have the right authority, budget, team and technology stack to do their job effectively – and help to stop the churn.
