Lately I have seen a number of new CISOs let go after one year on the job. I became intrigued as to why we are seeing such a high failure rate for new CISOs.
I started talking to other CISOs and recruiters that specialize with cybersecurity recruiting and we started to see a pattern. The CISOs were heavy with technology experience, did not align themselves with the business, were not prepared for the C-Suite, and were being recruited by other companies for better opportunity.
To back this claim, a recent ThreatTrack survey stated that 75 percent of the executives in the C-Suite do not think the CISO should have a seat at the table. In addition, 28 percent of executives say a decision by their CISO has hurt their business’ bottom line, according to the 203 C-Level executives that were surveyed.
According to Al Lerberg, president of Cyber Security Recruiters, “the CISO must be perceived as a professional who adds value and solves problems, not a person who just says "No."
This can be a difficult transition for a security professional who doesn't have a lot of business savvy or business experience. In this role, it is critical to build relationships at all levels of the organization so they are seen as someone who can help the organization accomplish business objectives, not stand in the way of progress or results.
This can be a difficult tight rope to walk for CISOs and those who can do it really well, will always be in high demand.”
Lerberg makes some great points as it aligns with a new one-day workshop that was launched by Deloitte Cyber Risk Services called the CISO Transition Lab, which was created to help CISOs become successful in their roles. As part of the program, Deloitte did an excellent job highlighting the “Four faces of the Chief Information Security Officer” that define the functions of a CISO:
- Strategist--Drive business and cyber risk strategy alignment, innovate and investigate transformational change to manage risk through valued investments
- Adviser—Integrate with the business to educate, advise and influence activities with cyber risk implications
- Guardian—Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
- Technologist—Assess and implement security technologies and standards to build organizational capabilities
Deloitte’s lab findings indicated that on average, CISOs today spend 77 percent of their time as “Technologists” and “Guardians” on technical aspects of their positions, and that they would like to reduce this time investment to 35 percent. This demonstrates a recognizable shift in Deloitte’s desire to place greater emphasis on the “Strategist” and “Adviser” functions. The common denominator is the CISO needs to align with the business to have a long tenure with a company. If they don’t, they will be joining the ranks of many CISOs shown the door with a one year tenure blemish on their resume. Every hiring manager and recruiter will want to know if the CISO was terminated for poor performance, did not align with the business, or didn’t know how to survive the C-Suite.
The aforementioned four CISO categories are well characterized to help balance out a CISO that is typically technology heavy and lacking business experience. Recently, I was speaking with a CISO for a financial services company about how they created a new consulting function within the CISO group to better support the business. The CISO created a consulting arm within their group to strategically support the company as a whole with trusted advisers and have better business partnerships. Coincidentally, this CISO has been in his role for 12 years and he is leveraging the four pillars of success below:
- Find a mentor—don’t try to figure everything out on your own. A great place to look is your LinkedIn contacts and find experienced CISOs that have been in their position for at least three years. These individuals tend to have solid executive experience and can be a great resource to help you be successful with your own career.
- Learn your business and how every department works. Everyone you work with will respect you for taking the time to understand their business, the challenges they are faced with and you will find opportunities to help them with common agendas that may be aligned with your agenda. It is a great opportunity to build your brand within your own company and be humble when you meet with the other functional executives. Be likeable. This will pay dividends when you need a favor to push your cybersecurity agenda.
- Spend more time with your CIO and “walk a mile” in their shoes. You will start to see why you mostly report into the CIO function and how your decisions have a dramatic impact on the company and the CIO’s agenda. Learn to be an ally with the CIO. I also recommend stop trying to report into the CEO of the company because you have an issue with the reporting structure with the current CIO reporting structure. Get over it, and work with your CIO. This is your most important relationship you will have within your company as the CIO can help your career or break your career within the company. Don’t underestimate the power of the CIO, even if you do report into the CEO.
- Take the time to read and learn from a variety of business books. You are now swimming with sharks and you need to bring your political “A” game to the table if you expect to be taken seriously and want to survive.
- Be careful not to “overplay your hand” with a large cybersecurity agenda that creates “cybersecurity exhaustion” that makes the impression your job is to tell everybody else what they are doing wrong in their own jobs. You don’t want to look like the IRS department within your company, because nobody likes working with the IRS.
- Be the trusted adviser within your company. Your job is to help others, not tell them what they are doing wrong or what they should be doing.
- Ask for help. Deloitte & Touche, LLP just developed the CISO Transition Lab to help accelerate a CISO’s performance. This is a program that is designed to help you thrive within your business. Also, many universities offer short summer executive programs ranging from one week to a couple months that can expand your current business knowledge of how a business functions. You have to find a way to function within your business and not be the techno geek that wants to protect everything within the company.