The average duration of employment by CISOs at an organization can change depending on who you ask. We have seen articles and stories depicting one year, two years, and even 26 months. But one thing is certain: the role with the highest turnover is CISO. There is a lot of speculation as to why, and oftentimes the churn is attributed to the experience of the CISO. A few key contributing factors in most cases determine how quickly an experienced CISO will jump ship.
Some companies cannot survive a data breach, and others are fighting for years to recover from financial and reputational damage. Either way, the cost of this type of event puts significant pressure on the CISO to recover and improve. This, combined with lackluster budgets, little authority, and lack of buy-in from the business, can be enough for a CISO to lead themselves to the door.
In many cases, if no other root cause is determined, the breach may be blamed on the security department, driving the team to leave. Many contributing factors could contribute to a security team’s failure to prevent such an event, including lack of expertise and support, tight budgets, or inadequate tooling, all of which can add additional stress to the CISO and their team. And with the exit of one or more security employees comes the burden of searching for and hiring their replacements, costing the company yet another resourcing expense due to this data breach.
Security never sleeps, so neither do security staff! Malicious actors have a habit of choosing a time not during business hours to execute their attacks, extending these hours to the security team. Overtime can extend to 20+ hours a week regularly to clean up or ensure adequate coverage during heightened awareness periods, which are coming more and more frequently. In addition, the current market for experienced security staff is difficult to navigate, with most organizations suffering from vacancies within their teams. This leaves the existing security employees to pick up the slack, extending their hours further.
Validating the return on security investments is difficult as well. Cyber security measures are often seen as a cost rather than an investment and suffer the same scrutiny as other departments that aren’t directly contributing to the profit generation of the business. This then pushes the security team to figure out how to do more with less constantly.
Stressful roles have been affecting employees’ mental health for years, so there is no surprise that this pattern holds up for CISOs and other security employees. Security teams have been introduced into organizations in varying degrees over the past 20 years. The role of CISO is still a new role that is ever-growing and rarely defined consistently. Due to a continued expansion of responsibility, high pressure, and high stakes, many CISOs feel significant stress dealing with the role.
Adding the recent pandemic to the mix, with most businesses moving to a work-from-home structure and the nuances of protecting those employees, nearly 1 in 2 CISOs you ask will tell you that their job has had a detrimental impact on their mental health(1). CISOs are known to be an immediate scapegoat if a breach does occur, even if the blame isn’t directly attributed to them or if the root cause was contributed to, such as underinvestment, lack of buy-in, or lack of risk management. The stakes are high, and the remuneration doesn’t reflect that. This formula creates a perfect storm for stress leave, burnout, PTSD, anxiety, and depression.
Businesses MUST be fully committed to their security teams’ success and scope of work. In most cases, the security program is buried within the IT budget somewhere and has to be communicated as a subsection of the IT program. This doesn’t give the attention that the security program deserves as part of the organizational strategy.
This all comes down to influence. A strong security focus weaved into the culture of the business will always have the most significant impact. Unfortunately, for CISOs, this is rarely the case. They commence their new position and inherit whatever problems may have previously existed, causing them to tidy up the mess before making additional security program improvements. Reviewing and active participation from the management team will be imperative to minimize the transition time to a more secure future state.
Many see the lack of buy-in as an accountability issue, but it’s more important for the CISO to have both authority and accountability in executing the security program. Without authority, there is no capacity to realize the promises of the security plan.
The success of the CISO and the security program is very much linked to the size of financial investment, support from the business, and authority empowered to the CISO to operate their security program.
Organizations can increase their support of their CISO, security team, and overall security objectives simply by having a leadership team that fosters a healthy and transparent communications structure. This can help everyone in an organization understand the roles of their coworkers and the stress that might come with them.
CISOs are battling dwindling budgets, reduced staffing, average buy-in level, and ever-increasing stress, all while trying to improve the security and risk posture to align to what is expected by your organization and tackle the increasing number of threats from external threat actors. This sounds difficult because it is!
Understanding where the stress and pressure are within your organization can be a great start – finding the root cause, seeing which parts of the team carry the most weight, and dispersing it. If other team members are not available to help pick up any slack, reduce pressure by automating procedures or assigning responsibility to others outside the affected team. Increase the budget to cater to workflow improvements and automation tools that can help carry the weight.
Many industry frameworks reflect that the security responsibility ultimately stops at the board or CEO, not the CISO. The CISO acts as an impartial advisor that serves as a mechanism for increasing the security program’s maturity and sets goals in line with company and industry objectives. But organizations need to understand that the CISO is not the sole contributor to a security program or its failure and needs other teams and employees from across the organization to get involved. Without an inclusive culture of ‘security is everybody’s business, the churn of CISOs and their staff will continue.
While understanding CISO churn is a multifaceted problem, Compyl can help. Compyl has designed a system in which organizations will have the ability to:
Don’t hesitate to get in touch with us on our website if you’re interested in seeing a no-obligation demo of the product.