{"id":116654,"date":"2023-12-04T13:19:30","date_gmt":"2023-12-04T11:19:30","guid":{"rendered":"https:\/\/10guards.com\/?p=116654"},"modified":"2023-12-06T13:25:23","modified_gmt":"2023-12-06T11:25:23","slug":"cisos-churn-cisos-as-chief-incident-scapegoats","status":"publish","type":"post","link":"https:\/\/10guards.com\/de\/blog\/2023\/12\/04\/cisos-churn-cisos-as-chief-incident-scapegoats\/","title":{"rendered":"CISOs\u2019 churn \u2014 CISOs as Chief Incident Scapegoats"},"content":{"rendered":"

Leider ist der Eintrag nur auf en<\/a> und ua<\/a> verf\u00fcgbar.<\/p>

CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO.<\/p>\n

 <\/p>\n

The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to get feet under the table. Two questions arise: why is there such volatile churn in this area and how does it affect enterprise cybersecurity?<\/p>\n

 <\/p>\n

1. The scapegoat effect<\/strong><\/span><\/p>\n

 <\/p>\n

The potential for CISOs to be used as scapegoats for security incidents is widely accepted and potentially growing. It can be: \u2018We got breached under your watch, so we\u2019ll blame you and let you go.\u2019<\/p>\n

 <\/p>\n

The scapegoat effect is a real threat to CISOs \u2014 they can take the fall for incidents outside of their control, even when they may be trying to do the right thing within a sea of contradictory pressures.<\/p>\n

 <\/p>\n

According to Deepti Gopal, director analyst for Gartner, cybersecurity professionals are generally facing \u201cunsustainable levels of stress.\u201d For CISOs and other security managers, the mental and emotional fallout from occupying the scapegoat role is not only spurring many of them to look outside of their current jobs or their professions, but it\u2019s also impacting their effectiveness when they stay.<\/p>\n

 <\/p>\n

\u201cCISOs are on the defense, with the only possible outcomes that they don\u2019t get hacked or they do,\u201d Gopal says. \u201cThe psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.\u201d<\/p>\n

 <\/p>\n

Making the CISO a scapegoat is a common but not blanket response to cybersecurity incidents. Agnidipta Sarakar, VP and CISO advisory at ColorTokens points out, \u201cOrganizations who are mature tend not to blame the CISO unless the security program is actually not good enough.\u201d But less mature organizations with weaker programs or negligent security oversight will readily activate the scapegoat effect.<\/p>\n

 <\/p>\n

This scapegoat effect is a major cause of CISO churn, whether it is instigated by the government, business leaders unwilling to shoulder their own blame, or CISOs knowing they have insufficient resources to prevent a breach and move on before the inevitable happens.<\/p>\n

 <\/p>\n

2. Lack of board support<\/strong><\/span><\/p>\n

 <\/p>\n

Board recognition of the importance of the CISO and cybersecurity is slowly growing but remains far from perfect. An August 2023 survey by BSS of 150 UK security decision-makers found that only 28% felt their role was valued; 22% were actively involved in the wider business strategy; and only 9% said cybersecurity was always in the top three priorities on boardroom agendas.<\/p>\n

 <\/p>\n

Globally, there are many companies where cybersecurity is both prioritized and supported, but these tend to be among the larger and more mature organizations. There remains a large underswell of newer and smaller companies where growth is often prioritized over security.<\/p>\n

 <\/p>\n

The result is often a lack of support and resources for the CISO to implement the cybersecurity controls necessary to secure the company. So, whether it is to forestall becoming the scapegoat for the inevitable breach, or simple frustration at being unable to do a good job, lack of board support often leads to CISOs seeking a new and more responsive position.<\/p>\n

 <\/p>\n

3. Stress and burnout<\/strong><\/span><\/p>\n

 <\/p>\n

Stress is another cause of CISO churn. It\u2019s not stress on its own, but the cumulative mental and emotional exhaustion caused by multiple, different, and continuous stressors: burnout.<\/p>\n

 <\/p>\n

Burnout can strike suddenly. A CISO may think he or she is handling stress effectively, but a single, final straw can suddenly and unexpectedly tip the balance. Burnout can cause physical and\/or mental collapse. Sufferers may need to take extended time out, move to a less stressful position, or simply leave the industry altogether. Some CISOs are moving into consultancy, especially when they have the experience, but they don\u2019t want the operational fatigue.<\/p>\n

 <\/p>\n

A recent survey by Salt Security lists six of the top personal stressors experienced by CISOs globally. Noticeably, the threat of personal litigation is #1 (48%). Only 1% of CISOs don\u2019t feel they face any personal challenges.<\/p>\n

 <\/p>\n

\"\"<\/span><\/p>\n

 <\/p>\n

The scapegoat effect and lack of adequate boardroom support are clearly contributing factors to CISO burnout \u2013 but so too are overwork and frustration. Success in cybersecurity is when nothing happens: effectively a successful CISO can work his or her butt off, and have nothing to show for the success.<\/p>\n

 <\/p>\n

4. The next big challenge<\/strong><\/span><\/p>\n

 <\/p>\n

Not all CISO churn is caused by the job\u2019s difficulty. There are many CISOs who are simply very good at their job and can confidently ride all the difficulties. Such people thrive on challenge and career progression. The difficulty is that career progression within the same organization is likely to be difficult. The only option is to take on a new challenge in a different organization with potentially a larger budget, a bigger security team, greater responsibility, more authority, and \u2013 probably \u2013 higher remuneration and benefits. These CISOs have outgrown their existing position and need to move on to the next big challenge.<\/p>\n

 <\/p>\n

Solution<\/strong><\/span><\/p>\n

\u00a0<\/strong><\/p>\n

There is only one real solution to the CISO Carousel: better communication. While boards must learn to love their CISOs (which includes respect, responsiveness, resources, and support); CISOs must better understand business imperatives and better communicate cybersecurity imperatives to business leaders.<\/p>\n

 <\/p>\n

Respect and support go beyond simply paying inflated salaries (although adequate compensation is essential). You cannot buy enthusiasm \u2013 it must be fostered by respect and support. Above all, the fear of scapegoating should be eliminated by genuine support. CISOs rarely criticize each other. When a breach occurs in another company, the general feeling is \u2018there but for the grace of God go I\u2019. Breaches cannot be eliminated. CISOs need to be confident that the expectation is to limit and ameliorate breaches, and that one single success by an elite hacker with a zero-day exploit won\u2019t lead to dismissal.<\/p>\n

 <\/p>\n

Source: Securityweek<\/p>","protected":false},"excerpt":{"rendered":"

Leider ist der Eintrag nur auf en und ua verf\u00fcgbar.CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO.   The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to […]<\/p>\n","protected":false},"author":7,"featured_media":3738,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-116654","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/10guards.com\/wp-content\/uploads\/kill-people.jpg","_links":{"self":[{"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/posts\/116654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/comments?post=116654"}],"version-history":[{"count":2,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/posts\/116654\/revisions"}],"predecessor-version":[{"id":116657,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/posts\/116654\/revisions\/116657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/media\/3738"}],"wp:attachment":[{"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/media?parent=116654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/categories?post=116654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10guards.com\/de\/wp-json\/wp\/v2\/tags?post=116654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}