As a consultant, I’ve been advising and supporting security leaders like Chief Information Security Officers (CISOs) for several years now. I’m always intrigued by the organizational nuances of each role and each person in the seat.
Let’s face it: being a CISO is not an easy job. To be successful in the role requires a lot of support from executive leadership and integration with the rest of the business. Too many organizations fail to understand this and find themselves stuck with a revolving door of cyber security nomads.
Based on my experience, there are generally three broad categories of CISOs: the first-timers, the restless spirits, and the long-haulers. In today’s post, I’ll take a look at each and how they differ. I’ll also discuss how knowing what category you fall into – or where your boss does – can help guide expectations and outcomes for your security program and organization as a whole.
Three CISO Types
Type One: The First-Time CISO
As a first-time CISO, you’re still in the honeymoon phase.
This could be the right spot for you if you’re:
- Looking for a challenge
- Wanting to make a difference
- Lured by the prospect of higher pay
Type Two: The Restless CISO
You’ve been in the CISO role a while, but your theme song is “Stayin’ Alive.” You might not like job hopping, but you tend to move to a different organization every few years.
Signs this could be you:
- Repeated bad organizational fits
- Frustration with lack of budget, skills, executive support
- Continuous lure of higher pay and/or better benefits and/or work/life balance
Type Three: The Long-Term CISO
You’ve found your sweet spot. You’ve held a position with the same organization beyond five years, and you’re not looking to make a move anytime soon.
This could be you if you’re:
- Supported by leadership and have decision-making authority
- Able to affect change and chart long-term plans
- Comfortable with how your organization operates
Your mindset as a cyber security leader directly impacts how your internal team and external consultants can support your program objectives. Speaking as a consultant, we can get a lot done together if you’re in it for the long haul, but we’ll have to move fast and get some quick wins if you’re not.
The reality is that most CISOs will only stay two to four years in their current organization, according to a 2017 report from Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) “The Life and Times of Cyber Security Professionals.” The survey indicated that 36 percent of CISOs leave because of a bad fit with the organization, and 34 percent move on because they’re not included in executive level decision-making processes. It’s a competitive career market, and 38 percent of the surveyed CISOs said they’d leave their current job for a higher salary and better benefits. Are you beginning to see my point? It’s hard to support long-term program strategies if a good chunk of the cyber security program leadership has one foot out the door.
Understanding these categories can help us think about how to embrace the first type – the new CISO – and successfully mold them into long-term employees without spending years cycling through the second type. I’m not trying to diminish the value of the second type. While the restless kind can still offer a lot of short-term value, the high turnover can make it far more challenging to build a strong security program as quickly as you might like.
It’s Not Easy Being a CISO
A recent survey report released by Nominet, “Life Inside the Perimeter – Understanding the Modern CISO”, reveals some troubling data about the work/life balance challenges of the job.
Every CISO surveyed “found their role stressful, with 91 percent saying they suffer moderate or high stress and 60 percent adding they rarely disconnect,” the report said. “88 percent of CISOs surveyed are also doing more than the average 40 working hour weeks. Worryingly, a quarter think the job has had an impact on their mental or physical health, with the same stating that it has had an impact on their personal and family relationships.” Sadly, this report also found that close to 17 percent of CISOs “are either medicating or using alcohol to deal with job stress.”
So, where do you fall on this spectrum? If you’re eager to move up the career ladder, have you thought about both the emotional skills and the business knowledge you’ll need to be successful in a CISO role?
If you’re looking at new opportunities, are you going beyond just the pay and benefits plan to take a hard look at how prospective employees view the security function?
If you’ve been in your role a long time, but you’re not happy with where you’re at and what you’re doing, what can you do to affect your current environment and make the case for getting the resources you need? Or is time to move on?
Along with some soul searching, you’ll find that getting the right partners and organizational support is essential to your ability to deal with the stress the job brings as well as develop a mature cyber security program. In the meantime, there’s a lot of work to be done, one byte at a time.