Make no bones about it, running enterprise cybersecurity and IT risk management as a chief information security officer (CISO) is not for the faint of heart. It’s a tough gig prone to stress, burnout and involuntary, sacrificial “resignations.”
Consider, for example that one study earlier this year from Ponemon Institute showed that 69 percent of CISOs surveyed in 2018 said they believe their job will grow more stressful in the coming year. That’s because they’re struggling to keep breaches at bay in the current threat and business environment—about 67 percent of respondents say that their companies are more likely to fall victim to a cyberattack in the coming year.
At the same time, they’re facing increasing scrutiny from the CEO and the board to deliver measurable results. Unfortunately, many CISOs are floundering under this scrutiny. About 70 percent of security leaders say they struggle to prioritize security threats based on their highest business relevance. As a result, approximately 49 percent of board-level executives offer a vote of no-confidence in the security programs their CISOs have put together. For that matter, even many CISOs lack confidence in themselves—the Ponemon study showed that more than 1 in 5 believe they’ll be sacked within the next year. It’s no wonder that the average CISO tenure is 17 months.
All this adds up to a difficult situation for CISOs looking to lift themselves up by the bootstraps and truly start making a bigger dent in the cyber risk exposure of their organizations. The problem is, CISOs often are so caught up in fighting fires and surviving that there’s not much room left over for self-reflection or professional development.
For many, some of the biggest lessons learned about the job of CISO come after they’ve left their gig. Perhaps they’ve moved on to consulting or maybe they’ve jumped into an executive role at a vendor company. They might even have started their own company to fill a particular need they discovered as a CISO.
Wherever they may be, in their new positions these folks sometimes end up gaining a broader view of different business scenarios and industries. They’re also often exposed to a wider range of security and technology leaders—and their philosophies—than they once were when isolated within a single enterprise post. What’s more, they’re afforded the kind of perspective that one can only get when removed from a situation for some time.
This is why we’re catching up with these security veterans for our new series, “What I Learned About Being a CISO After I Stopped Being a CISO.”
In this series we’ll be interviewing these former enterprise CISOs to collect the lessons in hindsight they’ve picked up since they left the role. The goal is to deliver this wisdom back to the CISOs who are still in the hot seat, so that the current crop of security executives can take some insight from their former compatriots and use it to up their game while they’re still on the job.
Some of these CISO lessons include:
- How to gain relevance to the business.
- How to build great teams in the face of a security shortage.
- Navigating corporate politics.
- Cutting through vendor FUD.
So stay tuned as we bring you regular installments from our interviews of people who have been there, done that, and earned the merit badge to prove it.