Recently, I was speaking with a new CISO for a casino property that came into an absolute mess of an environment with cybersecurity risk that was “off the charts” and “unmanageable.” While it is very tempting to come into a new company and be the superhero to fix many of the issues right away, this may look good in the C-Suite as it defines who you are in your first 90 days.
All the indicators would show how a lot of work needs to be performed on short order and you would want to show leadership, motivation, and be known for being the person that “gets things done.” No CISO wants to be perceived as the last CISO that most likely did not work out or burned many bridges within the company.
While it may be tempting to rollout new tools, patching, programs, teams, monitoring, end-to-end encryption, etc. these would be great ideas and intentions, but may end up with the CISO getting kicked out the door within one year.
Why? When a CISO shows up, it is important to remember you will be viewed as the “IRS” or the person that will be telling everybody what they are doing wrong in their jobs. This is a harsh image of the CISO, but perception is reality.
Not many people like or enjoy working with the IRS because they know that since you are a CISO, you are there to tell everybody how they are doing everything wrong, a feeling as if you are calling everybody’s baby ugly because you are finding vulnerabilities and problems everywhere.
In addition, the CISO is another step with overall business processes for approvals across the enterprise. The CISO can be seen as the gatekeeper to making key decisions, even though we would prefer to see ourselves as business enablers and protecting the companies’ data assets. The perceptions of CISOs in general is absolutely horrible by other business executives.
If you do not throttle yourself as the CISO, it is highly likely your career within your company will be in jeopardy. It can be very misleading believing that as a CISO, you came in to perform all the duties as assigned by the executive leadership team, but failed to recognize that the rest of the company will experience “cybersecurity exhaustion.”
Cybersecurity exhaustion is very much like a hangover after a fun night of partying. For the first nine months on the job as a CISO, everyone will be pleased with your ambition, progress, and making the company more secure, but it is important to remember the party does not last forever and if you party too hard, everyone will wake up with a bad hangover. As a new CISO, it is great to have the visibility and the spotlight on you, but people will get tired of you and will seek ways to derail your efforts. While this may sound sadistic, this is the unfortunate behavior and way of life in a company. People get tired of the superstar of a party.
Sign up for CIO Asia eNewsletters.