There are multiple reasons for the relatively rapid burnout of Chief Information Security Officers (CISO).
They include a combination of pressure and the unrealistic expectation that the CISO should not just lower the risk of major breaches, but prevent them altogether.
The modern CISO is also expected to have skills that go well beyond being a technology geek – to understand and “speak the language of business,” and be a strategic participant in business decisions.
“The new CISO is more the CIRO (chief information risk officer) tasked with managing risk to data and technology,” said Dawn-Marie Hutchinson, executive director in the Office of the CISO at Optiv.
“Five years ago, the role was buried many layers down in the organization, if it existed at all,” she said. “Today, the CISO is a business leader.”
Diedre Diamond, founder and CEO of CyberSN, speaking at the recent SOURCE Boston conference, offered three other reasons: Lack of understanding of the role, lack of advancement potential and unhappiness with leadership or company culture.
To all of that, add to the list what some are calling “vendor overload” – more than a thousand companies pitching security tools and solutions. That is far too many for any CISO to evaluate properly and still do the rest of the job.
There are still some compelling factors that make the CISO title attractive.
The money is good – the median salary according to some surveys is around $194,000, but it can top $270,000.
Unemployment in the field hovers around zero, since the demand for talent has overwhelmed the supply.
And over the past decade, the CISO role has taken on greater importance and influence.
But what Feris Rifai, cofounder and CEO of Bay Dynamics calls, “a gold rush in security during the last three years,” has made the task of evaluating security tools overwhelming.
Feris Rifai, cofounder and CEO, Bay Dynamics
“Investors poured money into the industry and as a result, more vendors surfaced. So now there is an imbalance between the number of security vendors and the number of CISOs,” Rifai said.
He noted a 2015 report by CB Insights that found, “over the past five years, $7.3 billion had been invested into a whopping 1,208 private cybersecurity startups.”
David Zilberman, managing director at Comcast Ventures, a venture capital firm, acknowledges the role investment has played.
David Zilberman, managing director, Comcast Ventures
“The need for cybersecurity is bigger than before,” he said, “so there are a lot of companies trying to build a better mousetrap. And venture capital firms are fueling it by funding these companies.
Sign up for CIO Asia eNewsletters.