A recent report found that the average tenure of a chief information security officer (CISO) is only 18 to 24 months, citing constant stress and urgency of the job as the core reasons. For comparison, the average tenure of a chief financial officer is 6.2 years and the average tenure of a chief executive officer is 8.4 years.
cybersecurity, chief information security officer, ciso
The revolving door is not limited to the C-suite when it comes to key tech roles. A recent report from the Ponemon Institute found that 65% of IT and security professionals consider quitting due to burnout. And there are nearly 3 million unfilled cybersecurity positions at companies worldwide.
Beyond the massive pressure CISOs are under to keep their organizations and customers secure, the talent shortage for skilled CISOs means frequent recruitment to new jobs, with offers of up to $6.5 million in salary and profit sharing. Between CISOs being aggressively recruited and a large percentage of the security workforce weighing their employment options — not to mention a growing and increasingly volatile landscape that requires the top security leadership to manage and mitigate — organizations can’t afford to make the wrong choice when it comes to hiring (and retaining) a CISO.
Consider a recent high-profile data breach at a large financial corporation. It was reported that staff suggested the CISO, who came from a federal government background, clashed with employees. Prior to the breach taking place, employees raised concerns about a high turnover rate within the cybersecurity team — which included about one-third of the entire team staff in 2018. To some close to the organization, this and other missteps indicate that the breach did not entirely come out of the blue.
Cyber culture is a key to security
As security moves closer to the center of the organization, leadership and management skills have become just as important as tactical security knowledge and execution. Organizations need to consider whether the CISO candidate would be a cultural fit. Strong CISO candidates will demonstrate the ability to find, hire and retain the right people to execute on security strategy and create a culture in which employees are trusted and empowered security practitioners.
Ask them how they motivate their teams to create a positive, outcome-driven environment without burning out employees. Leadership and execution styles that clash with the security team and other business leaders could prove to be detrimental to team morale and effectiveness, putting the organization at heightened risk.
CISOs must also serve as the go-to source on issues that may impact executive-level decision. For example, they must proactively address recent high-profile breaches, vulnerabilities as well as legal and regulatory matters, and how these issues affect the business and what (if any) next steps must be taken to address them. Ask the candidate what issues they are currently tracking and how they would approach communication of these issues to the board.
Although CISOs are in high demand, when you’re hiring, it’s important to closely examine cybersecurity performance metrics from the CISO’s previous organization. Just like you would expect a chief commercial officer candidate to point to sales numbers or a chief marketing officer candidate to be able to speak to campaign performance numbers, it is critical that CISO candidates be able to communicate their previous organizations’ security performance in a measurable, meaningful way.
Take the time to find the CISO who will take a measurement-driven approach to security performance management, communicate effectively to the board and other executives and has a leadership strategy that aligns with your current (or desired) security culture.
Look for CISOs who can not only point to tactical improvements in areas like patching cadence or number of malware instances blocked, but who can also evaluate and articulate real-time, organization-wide risk and align their security strategy to business outcomes. While tactical measurements are important, they do not paint a complete picture of security performance and could leave the organization blind to potential risk.
A winning CISO will be able to discuss how he or she has leveraged a risk-driven approach to measure, monitor and manage cybersecurity program performance to mitigate risk, make data-driven adjustments in the allocation of resources and support front-line security team members to make better decisions.
CISOs are increasingly being asked to brief their boards of directors on security performance but often aren’t prepared to address board-level questions. In fact, according to Gartner, only 5% of CISOs will report security metrics that are useful to their senior business executives by 2022. Rather than a review of threat detection software updates or systems patched, CISOs must be able to provide an update on the business’s security posture in the context of operational and financial risk.
Ask your potential CISO how they would be prepared to answer and report on questions such as:
- How are we doing against the investments we’ve made and the goals we’ve set?
- Is our performance improving? If not, what is the reason and what steps are being taken to fix it?
- How do we compare to our top competitors and peers?
- Where are we trying to go?
With the framework your potential CISO puts in place to address these questions, are they demonstrating the ability to decide which investments are needed to reach their goals, set the timeline to success and get to work? Do they demonstrate the ability to tell a story?
With such a high turnover rate for CISOs and their teams and evolving cybersecurity risks, you quite literally can’t afford to make the wrong choice when hiring.
cybersecurity, chief information security officer, ciso
- ISO 27001 Lead Implementer
- ISO 27001 Foundation
- CRISC – Certified in Risk and Information Systems Control
- CISSP – Certified Information Systems Security Professional
- CCISO – Certified Chief Information Security Officer
- CyberSecurity Professional
- CyberSecurity Lead Implementer
- Cybersecurity Lead Auditor
- ISO 27001 Lead Auditor
Boyer, Stephen (2019). We’re all at risk when 65% of stressed-out cybersecurity and IT workers are thinking about quitting, tech exec warns. Recovered on 23 October 2019 from https://www.cnbc.com/2019/10/11/65percent-of-stressed-out-cybersecurity-it-workers-think-about-quitting.html