Blog

Being a CISO is hard work. You must constantly balance business, technology, and regulatory requirements with things like employee and adversary behavior. You can be a superstar, create a world-class cybersecurity program and follow best practices, providing exceptional protection for the organization. Despite this excellence, a single employee can click on a malicious web link, share a password, or misconfigure an asset, leading directly to a successful cyberattack. When that happens, it’s your fault.

Yes, CISOs have heavy responsibilities. How do they cope with this burden? Not very well, according to a study by ESG and the Information Systems Security Association (ISSA). The data reveals that 57% of cybersecurity professionals rate their organization’s CISO as only slightly effective, not very effective, or not at all effective.

The performance of the RSSI depends on the situation

Reading between the lines of the research, it appears that poor CISO performance is often situational, and this creates much of the turnover we see when CISOs move from job to job. By using ESG/ISSA research, we can simultaneously dig deeper into suboptimal CISO performance and attrition. When asked why CISOs tend to change jobs every two to four years, security professionals responded as follows:

• Thirty-three percent believe that CISOs change jobs when offered higher compensation in another organization. It’s the Benjamins in many cases, which may have nothing to do with job performance or satisfaction. I’ve heard many examples of CISOs being offered up to 40% more to move on. It’s hard for CISOs to say no, so it behooves CEOs, boards, and HR managers to remember that strong CISOs are the sexiest of traps. There will always be suitors, so the C-suite needs to monitor the hiring landscape and constantly assess what it can do to keep a successful CISO happy.
• 31% think CISOs change jobs when their current organization has a culture that doesn’t emphasize cybersecurity. Obviously, the work performance of a CISO is strongly correlated with the culture of cybersecurity. If not, employees will go wild, security will be stuck on apps when rolling out to production, and the security team will remain in emergency mode – not exactly a healthy work environment. CISOs can influence culture, but CEOs (and HR) must drive cultural change. If that doesn’t happen, CISOs can’t do their job and head to the exits.
• Twenty-nine percent believe that CISOs change jobs when the cybersecurity budget is not commensurate with the size of their organization. Money can’t buy love, but when spent wisely, it can help strengthen cybersecurity protection. Do not mistake yourself. CISOs can and should manage and maximize spend, but there are limits to what they can do. A chronically underfunded security program indicates a communication gap (i.e. CISOs cannot properly explain what they need and why they need it), or more likely a philosophical gap (i. that is, CEOs and boards do not believe the organization is a target). Either way, CISOs can’t turn water into wine and tend to seek out “greener” pastures from a fiscal and situational perspective.
• Twenty-seven percent believe CISOs change jobs when they are not actively involved in senior management and the board. There is a pattern here. When CISOs aren’t in touch with executives and the board, business decisions avoid things like cyber risk management or threat modeling. CISOs are seen as “Dr. No” and cannot adequately protect the business, while the cybersecurity team lives in a constant state of firefighting. CISOs tend to move away from that “can’t win” scenario.
• Twenty-five percent believe CISOs change jobs when their organization treats cybersecurity as regulatory compliance. Hello, 2006 call. Most organizations have begun to understand the difference between strong cybersecurity and compliance checkboxes. Alas, some did not. This is a potential career killer, so smart CISOs quickly leave compliance-focused companies.

CISO job search red flags

To be quite obvious, the success and seniority of CISOs are strongly correlated with the decisions of the management of their organizations. While I’m sure CISOs get a positive image from headhunters, HR managers, and executives during the interview process, savvy security managers probably know if they have a chance of succeeding during the interview process. of the first few weeks. At this stage, doubts are often followed by resume updates and career development plans.

During their job search process, CISOs should also pay attention to red flags. If an organization has had multiple CISOs over the past five years, the predecessors may have found more money elsewhere. Alternatively, perhaps cultural, budgetary and managerial hurdles make HSS organizations a “no man’s land”. Caveat emptor.