Today’s Chief Information Security Officer (CISO) leads an increasingly precarious life.Since the emergence of the job title in the late 1990s, the CISO job has become more complex - and demanding - by the day.
Whereas once this was a technical job focused largely on fixing firewalls and patching vulnerabilities, today’s security chiefs are expected to do this and a whole lot more. They’re charged with juggling the day-to-day operations of their security team with meeting board expectations while also staying abreast of an ever-evolving threat landscape and regular regulatory changes.
As a result, it could be argued that the CISO job is a poisoned chalice: the job is well-paid, respected and increasingly available to people of all backgrounds (thanks to the well-publicized InfoSec skills shortage), and yet the average job can last 18 months or less. A CISO could be dismissed for any number of things, from a breach or missed vulnerability to failing to align security operations with the board’s business goals.
One former head of InfoSec spoke of the challenge facing security heads in thriving - and even surviving - in their job.
“CISOs have an incredibly difficult job in that they are responsible for something they can never provide 100 percent assurance on, i.e. securing the enterprise. All it takes is one missed vulnerability, one insider or one accidental "insecure" process.
“They are invaluable when they fully understand this and can properly manage the associated expectations. The problem is that this requires not only the complete understanding of how to properly manage short- and long-term projects, completing at scale and against budget, but also the technical knowledge and security understanding to ensure the right priorities are being addressed.
“The role is almost a unicorn - technical, but with people skills. Executive-level, but with project management capabilities. Laser-focused prioritization but with broad overview knowledge and understanding.”
Given this, and the constant speculation over how CISOs come to be dismissed, CSO Online interviewed three fired CISOs, a firing CIO and a host of other InfoSec experts to find out why CISOs get fired, where they end up...and how others reading this can avoid the same feat.
Sackings rarely make the headlines
Data breaches today make headlines and - in the InfoSec community - this often results in a lot of discussion around the position of the CISO and his or her security team. Both journalists and security vendor marketing teams are quick to warn what could happen after that ‘if not when’ data breach.
And yet, for all of this, CISO sackings are almost unheard of in the media.
Data breach notification laws in the United States (and soon in Europe, with the General Data Protection Regulation) give you a record of what firms gets breached, and you can make a guess as to what happened to the security chief. However, to date most CISO dismissal stories in the press are the weird and wacky, or the very high-profile.
Sign up for CIO Asia eNewsletters.