Another day, another CISO resignation, at least it feels that way sometimes. My LinkedIn and other news feeds offer a steady stream of announcements of security professionals stepping down from their roles or considering a career change.
In the span of eight days last month, there were several reports of state CISOs resigning, including Oklahoma, Georgia, Pennsylvania and North Dakota. While it’s possibly the start of a mass CISO exodus, it’s not necessarily a new change. Many CISOs and other security professionals have stepped down over the past year in both the public and private sectors, leading to increasing turnover rates and an average CISO tenure of two years. While the exact motivation driving these departures is not entirely clear, there’s typically few common reasons why CISOs choose to step down. Spoiler alert: It’s not always for negative reasons.
Why CISOs resign
With any job, there are always stressors and rewards that come along with the role. For CISOs, these stressors are heightened by the increased threat landscape, resulting from the clear and significant weight of responsibility placed on their shoulders. When an organization falls victim to a cyberattack, there are potentially devastating impacts—financial repercussions, reputational damage, disruptions to services and products, or compromised sensitive data. There’s a lot on the line, but CISOs know this when they sign up for the job, so that isn’t always the reason why they choose to depart.
Many of us become CISOs because we see the importance of protecting organizational and individual "crown jewels" data. Unfortunately, CISOs aren’t always given the support or resources to adequately do so. This may lead to CISOs and their teams finding themselves in a reactive state, spending a lot of time fighting fires and responding to security incidents, scrambling to contain threats instead of proactively preventing them. This reactive state often leads to a feeling of chaos and imminent catastrophe. That feeling weighs heavily on CISOs, particularly if they are not positioned to make a material difference.
It's not all caused by stress. CISO experiences across technologies, industries, business units, and organizational structures can result in an incredibly well-rounded professional, equipped with a wide range of skills. CISOs have technical expertise, business acumen, agility, resilience and crisis management skills. The more seasoned a CISO becomes, the more opportunities there are for them to explore areas of interest outside of infosec. As an example, Afiniti CISO Andrew Smeaton spoke about how he used his security expertise, particularly the crisis management aspect, to help him coordinate a rescue mission in Ukraine.
During times of exploration, CISOs may discover new interests and passions that lead them to pursue roles outside of cybersecurity. The increasing number of “Chief Trust Officer” positions filled by former CISOs illustrates how the experiences of a CISO can lead to other careers. Being a CISO sometimes serves as the catalyst to finding a new career path. As a member of the CISO community, it’s refreshing to see, as it showcases the depth of knowledge and skill sets outside of the job’s technical aspects.
What can organizations do?
In summary, CISOs want to feel like they are a critical part of their businesses. CISOs are often members of the executive team, and in this role, we want to become integral business partners. Second, we want to feel as if we are a part of the solution. We want to drive change. We want to make a difference, and we want our organization to help us get there. Here are some points organizations need to keep in mind to better support their CISOs:
- Elevate the CISO and security team. The CISOs subject matter expertise gives them the ability to identify and explain technical risks and their impact on strategic business objectives. It’s an incredibly valuable skill that the company should acknowledge. Make sure that the CISO has a seat at the table and a voice in enterprise decision making and planning.
- Set realistic expectations. It’s not a matter of if, but of when, that companies will face a cyberattack. Every organization – no matter the size or funding –has become a target of a data breach or compromise attempt. Ensure that the CISO feels confident that their executive peers are ready to support them when a security incident occurs. And give the CISO and their team the time and space to work with business units proactively to prevent cyberattacks.
- Support CISOs with process transformation. Organizations can’t improve if they stick with the status quo. That means embracing change. This may mean implementing new processes, technologies and strategies. Ask the CISO what their ideal security strategy and process looks like and what they need from top management. Maybe the business needs to hire more talent, replace outdated systems or implement companywide policies. Figure out what they need and what the company can do to support the security team. Let them guide the business in the right direction.
- Be empathetic. The importance of a strong cybersecurity program and the consequences of failure are as pronounced as they’ve ever been. Threats are more sophisticated than ever before and they do not just proliferate during normal business hours. Incidents arise in the middle of the night, or on weekends or holidays, and the CISO typically must serve as first responder. CISOs are also being charged with federal crimes as a result of their handling of security incidents. Take the time to talk with the CISO to understand their perspective and address any misconceptions or concerns about how to communicate and respond to security events. The industry also has a shortage of skilled cyber professionals, which means most CISOs are overburdened. These stressors can lead to burnout. Understand the pressures facing CISOs, and if management can’t alleviate them, then at least be empathetic.
Serving as a CISO can offer great rewards when an organization appreciates and respects that person and gives them the tools they need to succeed. How a CISO gets treated by other members of the executive team makes a difference and may serve as the deciding factor between changing career trajectory or continuing to deliver critical value and business benefits.
Dave Stapleton, chief information security officer, CyberGRX