6 missteps that could cost CISOs their jobs

Sure, a big preventable breach might easily cost a CISO his or her job. A few less obvious blunders could do the same.

chair spotlight

CISOs, like any other senior executive, face risks every day. Because cyber security leaders are accountable for safeguarding some of their organizations’ most valuable assets, the stakes are high. A CISO who inadequately prepares for any one of those risks or manages them badly will probably be fired, as has been the case in recent high-profile incidents.

The following are actions — or inactions — that clearly indicate failures that are fireable offenses for CISOs.

1. Failure to prevent a data breach with significant financial or reputational damage

As the recent Equifax and Yahoo breaches show, companies can suffer severe damage to their reputations from such incidents. When a monumental security breach leads to financial losses and a high-level of negative publicity, it’s difficult for CISOs not to take the fall.

A breach will most likely result in a firing if the enterprise can prove that the CISO was remiss in installing the latest patches or failed to update the organization’s data environment to deal with the latest threats by installing the appropriate firewalls in the data center, at remote offices, or at the network perimeter, says Laura DiDio, principal analyst at Information Technology Intelligence Consulting (ITIC).

“Sometimes firing a CISO in this scenario is purely for optics; a company has to show the public they are taking action,” says Sean Curran, senior director and national leader of consulting firm West Monroe Partners' cyber security practice. “Other times, a CISO was actually negligent and unprepared. They did not have a solid plan to respond to and recover from incidents, a plan that would have limited the impact. We find that too often the focus is on protection only.”

A data breach “is typically the most publicized firing because a data breach makes the news and can affect so many people,” says Zach Burns, executive recruiter at security search firm Stratus Search. “In an organization, a CISO should take responsibility for every person that he or she hires. Therefore, termination can take effect even if the data breach was not directly attributable to the CISO.”

2. Covering up a breach

Football coaches tell players not to make a bad play worse. Breaches are bad plays, but trying to hide them is a far greater sin. It suggests that the organization does not take its responsibilities seriously and is unwilling to properly protect its customers, employees, and partners.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)