Nothing will change until the profile of the CISO is raised and they start to see their role over the mid to long-term
Surveys suggest that the average tenure in a CISO position is around 2 years.
Although it seems to vary depending on industry sectors, it is supported by vast amounts of anecdotal evidence and it matches our field experience working with clients. The same goes for the reasons behind the early departures of many CISOs: It often starts with the sense that the internal situation is vastly different from what they had been “sold” throughout the recruitment process; they don’t feel valued or listened to; they feel trapped in management models where many key decisions are made elsewhere without their involvement; they feel like they haven’t got adequate resources in terms of budget or staff to do what they would like to do. So they leave. Having achieved very little in practice. And in a number of cases, they leave for larger organisations or a larger pay package because of tensions on the recruitment market around those roles.
Then, at best a caretaker manager is appointed; or worse, the role is left vacant for months until a recruitment is made internally or externally. Then someone new comes in, almost always with different views compared to their predecessors, and with the risk of seeing the same scenario repeating itself.
This type of managerial discontinuity, in particular when experienced repeatedly over a decade or so, is at the root of the maturity problems many large firms are facing around cyber security.
Over time, as almost nothing gets achieved at each iteration, the need to drive a fundamental transformation around security practices becomes more and more crucial, but creating true change dynamics also becomes more and more complex, as management gets frustrated and security becomes a problem and a failed topic.
The whole situation questions the average profile of the CISO as much as it does the appetite of their management for security.
In particular where driving a fundamental transformation programme around security practices is a key objective, the CISO needs to be an executive with the right amount of management experience, personal gravitas and political acumen. This cannot be a job for a technology hobbyist, an ex-auditor or a life-long consultant.
With the right level of seniority should come a sense that “Rome wasn’t built in one day”: A sound and honest appreciation of the culture of the firm, the pace at which it might change and, as a result, a sound appreciation of the time it could take to turn things around. Also a sense that only a shared transformative vision – shared with senior management and stakeholders – can drive and sustain change over the mid to long-term.
It cannot take 2 years for the CISO to realise that they are in the wrong job: In fact, the first six weeks are key: Over that period, the new CISO would have met with their management and their team. they would have met with key stakeholders and developed a sense of the challenges ahead, including the cultural and geographical diversity of their new organisation. They would have built a sense of what needs to be done, where they are in terms of budgetary cycle and the resources they have or could claim to deliver.
If the points of divergence with their management are too salient, it is at this point they should leave, and they should have the management experience and self-confidence to see it that way. Of course, it does make the first six weeks in the new job hard and challenging, but it is also about building trust and only trust between the CISO and key stakeholders will sustain change.
Spending the first six weeks or the first six months putting off burning fires or politically pushing a technical agenda the business stakeholders don’t quite understand is a recipe for building frustration, not trust: Constant firefighting downgrades the role of the CISO. Pushing an arbitrary technical agenda and focusing only on the resources to deliver it also downgrades the role of the CISO and takes the debate onto the political minefield of priorities: Every senior manager in the firm has their own views on what needs to be done next, their own pet project and their own political weight. This is something the new CISO should avoid.
Instead, they should spend their first six months building a coalition around a transformative agenda that is right for the firm, together with an execution framework and a governance model to deliver it. The whole exercise should clarify priorities, timeframes and resources for all stakeholders.
And it should give the new CISO a view over their tenure which should be commensurate to the task at hand. In most cases, it will spread well over the average 2 years and could point towards a 5 years horizon, maybe a 6 to 9 years horizon. Taking on a CISO role becomes a very significant career step under that light. Even more significant if we take into account the seniority requirements we are placing on the role which will make it necessarily a mid to late-career step.
As a result, the CISO will have to be incentivised to stay the course and executive management must remain consistent with the agreed direction of travel. It will be hard for firms where short-termism prevails, but those who achieve it should start breaking the spiral of security failure in which they were entrapped.