Nothing will change until the profile of the CISO is raised and they start to see their role over the mid to long-term
Surveys suggest that the average tenure in a CISO position is around 2 years.
Although it seems to vary depending on industry sectors, it is supported by vast amounts of anecdotal evidence and it matches our field experience working with clients. The same goes for the reasons behind the early departures of many CISOs: It often starts with the sense that the internal situation is vastly different from what they had been “sold” throughout the recruitment process; they don’t feel valued or listened to; they feel trapped in management models where many key decisions are made elsewhere without their involvement; they feel like they haven’t got adequate resources in terms of budget or staff to do what they would like to do. So they leave. Having achieved very little in practice. And in a number of cases, they leave for larger organisations or a larger pay package because of tensions on the recruitment market around those roles.
Then, at best a caretaker manager is appointed; or worse, the role is left vacant for months until a recruitment is made internally or externally. Then someone new comes in, almost always with different views compared to their predecessors, and with the risk of seeing the same scenario repeating itself.
This type of managerial discontinuity, in particular when experienced repeatedly over a decade or so, is at the root of the maturity problems many large firms are facing around cyber security.
Over time, as almost nothing gets achieved at each iteration, the need to drive a fundamental transformation around security practices becomes more and more crucial, but creating true change dynamics also becomes more and more complex, as management gets frustrated and security becomes a problem and a failed topic.
The whole situation questions the average profile of the CISO as much as it does the appetite of their management for security.
In particular where driving a fundamental transformation programme around security practices is a key objective, the CISO needs to be an executive with the right amount of management experience, personal gravitas and political acumen. This cannot be a job for a technology hobbyist, an ex-auditor or a life-long consultant.
With the right level of seniority should come a sense that “Rome wasn’t built in one day”: A sound and honest appreciation of the culture of the firm, the pace at which it might change and, as a result, a sound appreciation of the time it could take to turn things around. Also a sense that only a shared transformative vision – shared with senior management and stakeholders – can drive and sustain change over the mid to long-term.
It cannot take 2 years for the CISO to realise that they are in the wrong job: In fact, the first six weeks are key: Over that period, the new CISO would have met with their management and their team. they would have met with key stakeholders and developed a sense of the challenges ahead, including the cultural and geographical diversity of their new organisation. They would have built a sense of what needs to be done, where they are in terms of budgetary cycle and the resources they have or could claim to deliver.
If the points of divergence with their management are too salient, it is at this point they should leave, and they should have the management experience and self-confidence to see it that way. Of course, it does make the first six weeks in the new job hard and challenging, but it is also about building trust and only trust between the CISO and key stakeholders will sustain change.
Spending the first six weeks or the first six months putting off burning fires or politically pushing a technical agenda the business stakeholders don’t quite understand is a recipe for building frustration, not trust: Constant firefighting downgrades the role of the CISO. Pushing an arbitrary technical agenda and focusing only on the resources to deliver it also downgrades the role of the CISO and takes the debate onto the political minefield of priorities: Every senior manager in the firm has their own views on what needs to be done next, their own pet project and their own political weight. This is something the new CISO should avoid.
Instead, they should spend their first six months building a coalition around a transformative agenda that is right for the firm, together with an execution framework and a governance model to deliver it. The whole exercise should clarify priorities, timeframes and resources for all stakeholders.
And it should give the new CISO a view over their tenure which should be commensurate to the task at hand. In most cases, it will spread well over the average 2 years and could point towards a 5 years horizon, maybe a 6 to 9 years horizon. Taking on a CISO role becomes a very significant career step under that light. Even more significant if we take into account the seniority requirements we are placing on the role which will make it necessarily a mid to late-career step.
As a result, the CISO will have to be incentivised to stay the course and executive management must remain consistent with the agreed direction of travel. It will be hard for firms where short-termism prevails, but those who achieve it should start breaking the spiral of security failure in which they were entrapped.
I just couldn’t depart your website before suggesting that I actually enjoyed the standard information a person provide for your visitors? Is going to be back often in order to check up on new posts
Unquestionably believe that that you stated. Your favorite justification appeared to be on the internet the simplest thing to be aware of. I say to you, I certainly get irked at the same time as other folks think about concerns that they just do not recognize about. You managed to hit the nail upon the highest and also outlined out the entire thing with no need side-effects , people could take a signal. Will probably be again to get more. Thank you
As I website possessor I believe the content matter here is rattling wonderful , appreciate it for your hard work. You should keep it up forever! Best of luck.
That is very attention-grabbing, You’re an excessively skilled blogger. I have joined your feed and sit up for in quest of more of your great post. Also, I have shared your website in my social networks!
I got what you mean , regards for posting.Woh I am happy to find this website through google.
Hello my friend! I wish to say that this article is awesome, nice written and include approximately all significant infos. I would like to see more posts like this.
Admiring the time and effort you put into your website and in depth information you offer. It’s nice to come across a blog every once in a while that isn’t the same old rehashed information. Fantastic read! I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.
F*ckin’ awesome issues here. I am very satisfied to see your post. Thanks a lot and i’m having a look ahead to contact you. Will you please drop me a mail?
I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post…
This is the fitting weblog for anybody who needs to find out about this topic. You notice a lot its virtually hard to argue with you (not that I really would need…HaHa). You positively put a brand new spin on a subject thats been written about for years. Great stuff, just nice!
I enjoy the efforts you have put in this, thank you for all the great content.
You can definitely see your enthusiasm in the work you write. The world hopes for more passionate writers like you who aren’t afraid to say how they believe. Always follow your heart.
Wow! Thank you! I constantly wanted to write on my blog something like that. Can I include a fragment of your post to my website?
That is the precise blog for anybody who desires to find out about this topic. You notice so much its virtually onerous to argue with you (not that I truly would want…HaHa). You definitely put a new spin on a topic thats been written about for years. Nice stuff, just nice!
I was reading some of your articles on this internet site and I conceive this site is very informative ! Retain putting up.
he blog was how do i say it… relevant, finally something that helped me. Thanks
Wonderful blog! Do you have any helpful hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you recommend starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m totally confused .. Any tips? Cheers!
You have noted very interesting details! ps decent website.
Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked.2
There are some attention-grabbing time limits in this article however I don’t know if I see all of them middle to heart. There is some validity however I will take maintain opinion till I look into it further. Good article , thanks and we wish more! Added to FeedBurner as nicely
There is visibly a lot to realize about this. I think you made some good points in features also.