Извините, этот текст доступен только на “Английский” и “Украинский”.
CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO.
The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to get feet under the table. Two questions arise: why is there such volatile churn in this area and how does it affect enterprise cybersecurity?
1. The scapegoat effect
The potential for CISOs to be used as scapegoats for security incidents is widely accepted and potentially growing. It can be: ‘We got breached under your watch, so we’ll blame you and let you go.’
The scapegoat effect is a real threat to CISOs — they can take the fall for incidents outside of their control, even when they may be trying to do the right thing within a sea of contradictory pressures.
According to Deepti Gopal, director analyst for Gartner, cybersecurity professionals are generally facing “unsustainable levels of stress.” For CISOs and other security managers, the mental and emotional fallout from occupying the scapegoat role is not only spurring many of them to look outside of their current jobs or their professions, but it’s also impacting their effectiveness when they stay.
“CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do,” Gopal says. “The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”
Making the CISO a scapegoat is a common but not blanket response to cybersecurity incidents. Agnidipta Sarakar, VP and CISO advisory at ColorTokens points out, “Organizations who are mature tend not to blame the CISO unless the security program is actually not good enough.” But less mature organizations with weaker programs or negligent security oversight will readily activate the scapegoat effect.
This scapegoat effect is a major cause of CISO churn, whether it is instigated by the government, business leaders unwilling to shoulder their own blame, or CISOs knowing they have insufficient resources to prevent a breach and move on before the inevitable happens.
2. Lack of board support
Board recognition of the importance of the CISO and cybersecurity is slowly growing but remains far from perfect. An August 2023 survey by BSS of 150 UK security decision-makers found that only 28% felt their role was valued; 22% were actively involved in the wider business strategy; and only 9% said cybersecurity was always in the top three priorities on boardroom agendas.
Globally, there are many companies where cybersecurity is both prioritized and supported, but these tend to be among the larger and more mature organizations. There remains a large underswell of newer and smaller companies where growth is often prioritized over security.
The result is often a lack of support and resources for the CISO to implement the cybersecurity controls necessary to secure the company. So, whether it is to forestall becoming the scapegoat for the inevitable breach, or simple frustration at being unable to do a good job, lack of board support often leads to CISOs seeking a new and more responsive position.
3. Stress and burnout
Stress is another cause of CISO churn. It’s not stress on its own, but the cumulative mental and emotional exhaustion caused by multiple, different, and continuous stressors: burnout.
Burnout can strike suddenly. A CISO may think he or she is handling stress effectively, but a single, final straw can suddenly and unexpectedly tip the balance. Burnout can cause physical and/or mental collapse. Sufferers may need to take extended time out, move to a less stressful position, or simply leave the industry altogether. Some CISOs are moving into consultancy, especially when they have the experience, but they don’t want the operational fatigue.
A recent survey by Salt Security lists six of the top personal stressors experienced by CISOs globally. Noticeably, the threat of personal litigation is #1 (48%). Only 1% of CISOs don’t feel they face any personal challenges.
The scapegoat effect and lack of adequate boardroom support are clearly contributing factors to CISO burnout – but so too are overwork and frustration. Success in cybersecurity is when nothing happens: effectively a successful CISO can work his or her butt off, and have nothing to show for the success.
4. The next big challenge
Not all CISO churn is caused by the job’s difficulty. There are many CISOs who are simply very good at their job and can confidently ride all the difficulties. Such people thrive on challenge and career progression. The difficulty is that career progression within the same organization is likely to be difficult. The only option is to take on a new challenge in a different organization with potentially a larger budget, a bigger security team, greater responsibility, more authority, and – probably – higher remuneration and benefits. These CISOs have outgrown their existing position and need to move on to the next big challenge.
Solution
There is only one real solution to the CISO Carousel: better communication. While boards must learn to love their CISOs (which includes respect, responsiveness, resources, and support); CISOs must better understand business imperatives and better communicate cybersecurity imperatives to business leaders.
Respect and support go beyond simply paying inflated salaries (although adequate compensation is essential). You cannot buy enthusiasm – it must be fostered by respect and support. Above all, the fear of scapegoating should be eliminated by genuine support. CISOs rarely criticize each other. When a breach occurs in another company, the general feeling is ‘there but for the grace of God go I’. Breaches cannot be eliminated. CISOs need to be confident that the expectation is to limit and ameliorate breaches, and that one single success by an elite hacker with a zero-day exploit won’t lead to dismissal.
Source: Securityweek
