Looking beyond stress, burnout, and scapegoating theories: What is really going on?
This good piece from Dan Lohrmann on GovTech made me think (Why Do Chief Security Officers Leave Jobs So Often? – 26 Feb 2021).
Overall, Dan’s analysis is comprehensive and the negative undertones behind the short tenure of CISOs match those in the ClubCISO 2020 Information Security Maturity Report on which we commented last year.
Still, I would frame the topic slightly differently, and I think an element of reflexion is also required on the impact the short tenure of CISOs is having on the security industry at large and the evolution of the cyber security maturity of large firms.
First of all, many firms, which never had a CISO before, have opened up new positions across the last decade, and demand is strong from industry sectors which were never real players in the security space.
When I started attending security conferences over 20 years ago, most of my peers were in Finance, big Pharma, or the Energy sector; regulated industries or industries where security has always worked hand in hand with safety, and where safety has always been a pillar of the culture of the sector.
Today, most industry sectors have some form of security practice in place. Recruitment activity around CISO roles is significant and profitable for recruiters. There is a significant shortage of quality management profiles in that space; salaries are high and are on the rise.
To put it simply, good CISOs get head-hunted – at least around me. Some offers are just “too good to turn down” and a number of them simply “follow the money”.
But for others, things are rarely as straightforward, and here I would go back to Dan’s analysis: The decision to change jobs is often rooted in a negative context, and the call from the recruiter is just the catalyst which starts the process. Again, this is clear in the ClubCISO 2020 Information Security Maturity Report: Out of the seven responses presented by the report to the question “Why did you leave your last role?” (p. 19), five are clearly and unambiguously negative: From the shocking “not seeing eye to eye with senior leadership”, to “spending too much time firefighting”, “not being compensated sufficiently”, “being frustrated by the organisation’s approach to security”, or “not having enough resources or support to succeed”.
Clearly, CISOs don’t seem to be a very happy bunch, and their frustration appears to be rooted in some form of disconnect with their management.
That’s understandable: Many CISO positions were created in response to rampant cyber threats across the last decade in industries which never had such roles in place. They were created tactically with the operational objective of preventing breaches, by senior executives who didn’t really understand the context and the transversal complexity involved in the cyber protection of large organisations.
It created situations where many CISOs struggled with limited resources and constant attacks, and never managed to build a meaningful narrative with management beyond mere firefighting.
They might have hopped from job to job, but they carried the problem with them, and over the past decade, many CISOs have not been able to develop the leadership and management skills which they would need to elevate the role to the next level.
And in parallel, expectations from management have changed. In the face of constant breaches in the news, the penny has finally dropped in many boardrooms and the “when-not-if” paradigm around cyber-attacks has taken root. Many boards have reached the point where they are ready to make very significant transformative investments around cyber security, but in exchange, would demand faultless execution and delivery from their CISO.
That’s what is putting many CISOs under unbearable pressure, because over the past decade, they have been prevented – by constant firefighting – from developing the softer skills, the personal gravitas, the political acumen, which are key to delivering complex initiatives in large firms.
To me, this is the context in which the short tenure of CISOs has to be seen. A survey by Nominet estimated it at 26 months in 2020. Anecdotal evidence from my network seems to back this up: Having analysed the Linkedin profile of 15 of my contacts currently in CISO positions, I have reached the figure of 30 months, each having held 3 different CISO position on average throughout their career.
It is time to start recognising the impact this CISO “merry-go-round” has had on the security industry over the past decade and on the evolution of security maturity in large firms.
You achieve very little in large organisations in 2 to 3 years, certainly very little that could have a lasting transformative impact – if that’s what’s required.
At best you kick start some projects, but each CISO comes in with their own culture, priorities and approach, and your successor may or may not follow in your footsteps. Over time, distrust sets in with senior management, who can’t help but noticing that breaches keep happening in spite of the investments made in that space. Security becomes a cost and a problem; an area no ambitious executive, internally, would consider as a possible career step.
This distrust and the spiral of failure fuelled by CISOs short tenures are at the heart of the problem here, and over the last decade, the situation has become self-perpetuating.
As we wrote back in 2018, “nothing will change until the profile of the CISO is raised and they start to see their role over the mid to long-term”.
To break this spiral, the Board needs to own cyber security as a genuine board-level agenda item, elevate the topic and the role, build it up as a genuine career elevator to inject raw talent – probably from business circles – and create the conditions for trust to rebuild around business security objectives driven top-down, instead of operational security objectives driven bottom-up.
It may lead to the emergence of CSO type of roles, returning historical CISO roles to their original technical purpose.
More than ever, this is crucial to drive real change across organisations made entirely dependent on digital services by the COVID crisis.