Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired. Tedious work. What to do is often obvious. Getting everyone to do it is the hard part and usually devolves into politics. Thankless job, you can only be wrong once. Just not appealing and CISO is becoming legally sketchy, requiring a lot of diligence out of a CISO to not end up in legal trouble. But if this appeals to you, it can be rewarding stuff, but it is not a great tech role IMO. Or a great management role.
> Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired.
As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.
At a former job I worked directly under the CISO doing architecture audits.
He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".
inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.
"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.
> Average tenure for a CISO is lowest of any C suite.
Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.
Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
That's insightful, but I still think the assumption that the CISO has to go when the company gets compromised is a bit issue.
Instead of security being a team effort, with the goal being making the hard choices together, finding the correct compromises to let the business thrive while being secure - it usually makes the CISO take an adversarial position to anything in their company - since it's always their head if something bad happens....
Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.
The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.
Common Pitfalls:
- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.
- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.
- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.
With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.
The CISO gets blamed and fired because it’s a language that shareholders understand. You think shareholders are going to understand that the CISO enabled others to make secure choices?
CISOs are starting to report to the board. The biggest challenge is budget. It's hard to put an ROI on a theoretical risk that chances of risk happening are at best an educated guess. Most company leaders don't value detection of breach but only prevention so things like the significant cost of storing network flow logs is an uphill battle.
I fumbled on an interview once when asked “tell us how a security initiative you led brought value to your organization”. I rambled on about average breach/downtime cost but i couldn’t quantify anything on the spot. In retrospect, I should have focused on manhours saved through prevention system. It’s a hard sell!
CISO direct report to CTO can be a conflict of interests for the CTO.
C-suite positions need a golden parachute because they can be career-ending. You don't climb to the C-suite then go back to being an IC or lower-level director.
CISO can be even riskier than other C-suite positions. So CISOs really need golden parachutes. But CISOs almost certainly don't get golden parachutes worth the while -- they are generally seen as less important than CTO, CFO, COO, and CEO.
If a risk is "unsolvable" it gets accepted as is by the accountable person in the business side of things. They will/should have good reason why they can't solve it.
Plenty of companies keep their security teams + CISO after they get popped.
You'd be surprised how often this happens though. I've seen all the following structures:
CISO -> COO -> CEO
CISO -> CIO -> COO -> CEO
CISO -> CSO -> COO -> CEO
CISO -> CLO -> CEO
CISO -> CLO -> CFO (wtf?) -> CEO
And none of:
CISO -> CEO, or even
CISO -> CSO -> CEO
The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed.
---
The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate.
Normally you are juggling a huge amount of security technical debt, massively under-resourced, the CFO under-funding IT and having no budget for innovation in the first place is part of what caused the problem.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
I asked for more detail because I’m in a role training under a CISO and rapidly approaching a decisioning point to assume their role. Sorry I didn’t make that clear in my original comment.
Anyhow, I think I elaborated in other places. I don't think it is a bad role, but as a tech first, programming first type of person I would never be a CISO. Even as a manager I want to manage interesting technical things and spread knowledge and skills of how to build (secure) interesting technical things to people. CISO and risk management roles everywhere herd cats and don't really get to do that. So you have to keep in mind my perspective. Comp and top end of the risk management and information security management career can be really rewarding, but it is a mostly thankless job trying to get people to do things that no one will ultimately like all that much even if it is the right thing and they know it :)