[BreachExchange] Redefining What CISO Success Looks Like

Mon Aug 31 10:15:57 EDT 2020

https://www.darkreading.com/careers-and-people/redefining-what-ciso-success-looks-like/a/d-id/1338719

Key to this new definition is the principle that security programs are
designed to minimize business risk, not to achieve 100% no-risk.

A recent study from the Enterprise Strategy Group found that the
average CISO tenure is two to four years. It would seem there are a
wide variety of contributing factors regarding why many security
professionals last less than 1,000 days in the role, among them the
fact that the role and expectations are different from company to
company. Many organizations face an ever-evolving security and risk
strategy, which can change key competencies required for success. Over
more than a decade in the security industry, I found this gray area
leads to a lot of ambiguity around what success in the CISO role looks
like and often causes misunderstandings, false expectations, and
burnout due to not just security challenges but a lack of
organizational clarity and expectations as well.

Publicity around major data breaches and compliance requirements,
along with ongoing discussions of privacy and data rights, have opened
the eyes of the C-suite and boards, highlighting the critical nature
of the CISO role. Many executives and boards view cybersecurity
investment as an insurance premium aimed at avoiding data breaches,
and often are highly reactive to the headlines about the latest
name-brand exploits or intelligence community leaks. This leads to
executives and boards asking the CISO to ensure they're protected
against these highly publicized breaches, which represent less than 1%
of common cyber threats, while lacking appreciation for the efforts
and investments necessary to address the more likely cyberattack
scenarios companies face.

This lack of clarity has led to misperceptions and inconsistencies
around the CISO role. CISO job descriptions vary greatly across the
industry, depending on the size of the company, nature of the
business, whether privately held or publicly traded, etc. It should
not be surprising that clarity of the role of a successful CISO
remains one of the greatest corporate mysteries. In some instances,
CISOs own everything from enterprise risk, compliance and service
production to deployment, all while having to do so with a commonly
undersized staff and budget, however extraordinary the business
expectations.

It is unrealistic to expect CISOs to be omnipotent cybersecurity
demigods. They should be expected to help shape their companies'
security investment priorities aligning with corporate-defined
objectives, but within reason, given organizational support resources
and operating budgets. The reality is that properly defined,
resourced, and executed security programs are designed to minimize
business risk, not achieve 100% no-risk. In addition to responsibility
for managing corporate security and compliance, many CISOs also find
themselves playing a role in business development, customer
acquisition, customer retention, employee development, and employee
retention.

Organizational development for security awareness and career
development is a major, underrated aspect of being a CISO. CISOs have
as much pressure on talent retention and talent development as other
business leaders. Cybersecurity skills are in high demand, so it's
important that security leaders work closely with their people to
ensure talent development, which enhances talent retention. In already
resource- and budget-constrained organizations, loss of your security
talent makes achieving defined business objectives even more difficult
and taxing on the CISO.

Is it realistic for the modern-day CISO to balance the heavy demands
placed on the role? Those often come without a clear alignment with
executives and boards on risk, a lack of sufficient resources and
budget, and additional business pressures that go beyond risk
mitigation. Here, in my opinion, lies the major contributing factors
to CISO burnout.

At the end of the day, it's important that the security community and
business leaders work together to actively shape and ensure success in
the CISO role. This starts with the business investing the time in
understanding the security requirements and then agreeing upon
business risk tolerance. Once risk tolerance is defined, then it is
critical to resource and fund the security program, taking into
account the ancillary pressures on the CISO role. The goal is not only
to reduce business risk, but to do so while eliminating the risk of
burnout of the CISO, an executive position that is becoming
increasingly difficult to both recruit and retain.