[bitexploder]

Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired. Tedious work. What to do is often obvious. Getting everyone to do it is the hard part and usually devolves into politics. Thankless job, you can only be wrong once. Just not appealing and CISO is becoming legally sketchy, requiring a lot of diligence out of a CISO to not end up in legal trouble. But if this appeals to you, it can be rewarding stuff, but it is not a great tech role IMO. Or a great management role.

[runjake]

> Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired.

As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.

[chias]

> As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."

For Corey Quinn's fantastic "security awareness training" thread: https://infosec.exchange/@Quinnypig@awscommunity.social/1097...

[red-iron-pine]

At a former job I worked directly under the CISO doing architecture audits.

He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".

inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.

"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.

[_tk_]

> Average tenure for a CISO is lowest of any C suite.

Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.

Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.

[bitexploder]

Anecdotal observation.

Articles like this: https://www.forbes.com/sites/forbestechcouncil/2020/02/10/th...

LinkedIn data is pretty reliable, so this is not a difficult thing to study sufficiently.

[bryant]

BISO and CISO are generally not the same. A BISO function tends to be an interface between information security and business units.

[_tk_]

That is certainly true. I was trying to point out that I am indeed not working as a CISO, but as an ISO or a BISO. :)

[greedo]

There's a reason the role is often referred to as the Chief Sacrificial Officer...