Chief information security officers and other enterprise security leaders often don't remain long enough with the same organization to be able to make a strategic difference. Those that do say business focus, the ability to communicate with key stakeholders and knowing how to manage expectations are key to longevity in the CISO role.
Take Andy Ellis. As Akamai's chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company's security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organization's core security strategy.
Ellis believes that being at the same company for so long has been critical to his ability to affect change. "I've gotten to mold this position," Ellis says. "As I've gone along, it's been like wearing a comfortable glove. I understand how the organization works; therefore, I can get more done."
Not many CISOs can say that. Studies show that the job tenure for most CISOs typically is between two and four years. A widely quoted 2017 survey-based report from analyst firm Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) estimated the average tenure of a CISO to be between 24 and 48 months. A more recent Kaspersky Lab study concluded that barely half of all CISOs stay at their job for more than five years, but 64 percent percent of those that do believe they are adequately involved in business decisions compared to 36 percent of CISOs with shorter job stints.
The lure of higher compensation is one major reason why CISOs rarely stay very long in one place. CISOs, like most other security professionals, are a hot commodity. The ESG-ISSA survey showed that 38 percent of CISOs quit their current job for better salary and benefits. That's not the only reason. The same survey showed that 36 percent leave because of a corporate mismatch and 34 percent head for the exits because they feel left out of the executive decision-making process. Other frequently cited reasons included lack of budget, lack of skill and inadequate support from upper management.
CISOs often are the first to bear the brunt of the responsibility for data breaches as well. Facebook CISO Alex Stamos and Equifax CSO Susan Mauldin are two examples of security leaders at large organizations that felt pressure to leave as a result of security miscues.
Ellis attributes his job longevity to his keeping Akamai's business requirements front and center of everything he does. Often, he says, CISOs have a tendency to see themselves as super heroes with a mission to transform a company. "There are many CISOs who think their job is to be the conscience of the company," Ellis says. "The reality is we are just the sidekicks. Our job is to help make the business successful."
Here, according to Ellis and other security leaders, are six key contributors to job longevity for CISOs.
1. Set and manage expectations
You have to set expectations for how you are going to partner with the business and be a helpful and sustainable guide to a safer destination, Ellis says. Have a clear idea of the time you have or the time you want to effect real change. The zero-trust initiative at Akamai for instance took more than six years from start to finish. When considering projects it's one thing as a CISO to have a 10-year plan at an established business and another entirely to have such a plan at a start-up.
"Find a place that has a role for the CSO that is the role you want," Ellis says. Unlike the head of sales or marketing or even IT, the security leader's role is to help business understand and address risk. "We are the ones who come in and say 'let me help you make a better choice.'"
2. Know what you are getting yourself into
CISOs don't join a company just to keep the lights on, says Michael Sutton, an angel investor in cybersecurity firms and former CISO at security vendor Zscaler. Most security leaders want to effect change, but the key to that is empowerment. "When I talk to CISOs that are happy in their role, it always comes down empowerment," he notes. "Do I have a voice with the board; do I have a seat at their table; do they want to hear from me on a [regular] basis?" he says. With enough empowerment comes the resources you need to be successful, Sutton notes.
Often, people in a CISO position expect to it to be a very technical role, says Tina Thorstenson, chief information security officer at Arizona State University since 2009. Increasingly, this is not the case. The CISO role has become much more about relationship building and executive leadership skills that might come as a surprise to some CISO. "Organizations want individuals that can translate what the technology folks are saying but can ensure that the line of business is the voice that matters," she says. Being a CISO increasingly is about aligning with the risk appetite of the business, she says.
3. Decide if you want to be a disruptor or a builder
Often companies hire a CISO when they get breached and realize they have under-invested in security, Ellis says. The new person has the mandate to come in and turn things around. Sometimes that can be successful, but too much disruption can hinder the ability of a CISO to be successful in the long term, Ellis says. To get things done, disruptors often end up pushing people the wrong way and every element of noticeable change comes at the expense of a relationship that they will likely need for long-term success. "Every time that happens, your ability to get things done in [the] future gets eroded."
As a CISO, you need to understand the difference between being a builder and a disruptor. A disruptor is like a firefighter that knocks things down and tears things apart to put a fire out. If you want to be a builder, the focus has to be on building and maintain long-term relationships with key stakeholders.
4. Know how to enlist the support you need
Many CISOs cite a lack of support from executive leadership as a big challenge. Often, though, that's because of a failure to communicate, says Thorstenson. She says that through her career at ASU she has carved out time to meet with vice presidents and stakeholders across the organization and gather information about their security concerns and needs. Doing this has made it simpler for her to identify initiatives that are in alignment with university requirements.
Early on in her career, Thorstenson was able to use broad concerns among university stakeholders around the security of mobile devices such as laptops, smart phones and tablets to implement an enterprise-wide data encryption plan. "I didn't demand encryption," Thorstenson says. "I heard the concerns about lost and stolen equipment and explained how one of the ways to address that was encryption. I was responding to a concern rather than trying to ram a technology through."
5. Stay on top of the technical stuff
Modern CISOs need to understand business requirements and ensure their efforts supports business goals, but technical knowledge is critical as well. While you don't need to be a subject-matter expert, you do need to have the technical depth to speak at least one level deeper than other C-level executives; to know what questions to ask and to validate the quality of the responses you receive.
"The CISO needs to understand how much risk the organization is willing to take and be able to come to the table and articulate that risk," says Alex Leon, CISO at Dime Community Bank and a former security executive at Citibank and Mitsubishi. Their role is to help business understand the controls in place or that are available to mitigate risk. "CISOs are not there to say 'yes' or 'no,'" Leon says. Their role is to educate the business about risk so they can make a decision whether to move forward or not.
6. Focus on embedding security across the organization
One way to get organizational leaders to stop thinking about the security group as a cost center is to focus on embedding security into all aspects of the business, Thorstenson says. Rather than building a security army within the organization, see if you can embed security into each line of business and have the business owners take responsibility for managing it. "Make sure that each leader understands they are responsible for the services they make available and for securing them," she says.