10 CISO career-killers and how to avoid them

Don't let these missteps hamper your professional ambitions.

Most CISOs don’t expect a breach to get them fired.

Only 6.8% of the 207 U.S.-based CISOs surveyed by Osterman Research for the Nominet 2019 report, Life Inside the Perimeter: Understanding the Modern CISO, believe that a significant security breach would lead to their termination. Only 21.7% say they’d even get an official warning. In fact, a majority of CISOs – 56% – say their fellow executives would come to their aid and help them resolve it.

CISOs, however, still recognize that there’s a lot riding on their performance, and they feel that heat. The same study, for example, found 55% of the 408 U.S. and U.K. CISOs surveyed pegged their average job tenure at less than three years, while 30% put it at less than two. (The U.S. Department of Labor says it’s actually 4.2 years.)

It’s hard to determine how much of that churn is voluntary. Many CISOs certainly leave on good terms and of their own accord. But executive advisors report (and some high-profile cases prove) that others are squeezed out for various reasons and some are, indeed, fired outright.

What, then, can lead to such fates if a breach isn’t what gets a CISO sacked? Here experts share 10 scenarios that can get a security executive canned.

Failing to speak in executive terms

Cybersecurity is now a board-level agenda item, with board members and the entire C-suite expecting more thorough briefings from CISOs about the strengths of the security posture, the weaknesses in it, plans for improvement and how all of that fits into the organization’s overall strategy. Yet many CISOs still rise to that position through a string of technical positions, leaving them inadequately prepared to deliver the strategic-level presentations the board expects, says Darrell Keeling, vice president of information security at Parkview Health and an adjunct professor with the CISO executive education and certificate program at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy.

“They haven’t been mentored or groomed to speak to the higher levels of the organization,” Keeling says. As a result, some CISOs struggle to present security-related issues in the strategic business-focused terms that the board expects, thus leaving the board with a less-than-stellar impression of the security chief. Some CISOs opt to let the CIO, CTO or another executive present on his or her behalf, which adds an alienating layer between the board and the CISO. “So when something does happen, it’s perceived that the CISO hasn’t been transparent with the board,” Keeling adds.

Glossing over bad news

Keeling says he sees another problem with CISOs as they work with their executive colleagues and the board: They can gloss over problems. He says he has seen CISOs present only the positive metrics to their boards. Some CISOs might do that because they don’t want to look incompetent, Keeling says, or they might mistakenly think the challenges get into technical discussions beyond the board’s scope. “Whatever the reason, CISOs can get wrapped up in ‘I can’t tell the board this, or can’t tell them that,’” he adds. But boards aren’t fooled.

They might not be security experts, but board members know that organizational security is more complex than a panel of green metrics. And they’ll likely lose faith in any CISO that can’t be forthcoming and transparent when delivering reports. “The board doesn’t want to be told everything is great. You have to be able to tell them the reality of what the organization looks like. You have to give them an honest assessment and give them confidence that you have a plan to move them forward,” Keeling says.

Surprising the boss

The CEO, along with any other executive who directly or indirectly oversees the security function, doesn’t like surprises. They don’t want to be blindsided by an attack that the CISO never warned them was even possible or by an immediate need for large expenses – especially if such issues first come to their attention at a board meeting or in some other group forum or public setting, says John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity training organization. “The CEO really doesn’t want to learn about security needs that way,” Pescatore says. If he or she does, the CISO’s days could be numbered.

Going it alone

CISOs could find themselves out on a limb if they’re pointing to problems and nobody else cares, says Mansur Hasib, a former IT executive who’s now chair for the Graduate School cybersecurity technology program at the University of Maryland Global Campus. In such cases CISOs could find themselves at odds with other enterprise leaders who might not tolerate the CISO’s questions about their agenda.

It’s a sticky situation, Hasib acknowledges, to be advocating for an ethical path when others aren’t as considered. He advises security executives in such situations to move on before their own reputation suffers. Better still, he says, CISOs can try to determine an organization’s ethical position before taking a post by asking questions about the organization’s and the executives’ key values during the interview process.

Being the department of 'no'

On the other hand, CISOs who want to keep their posts can’t let security concerns be an impediment to business growth, Pescatore says. “There are security groups saying, ‘We can’t make sure that [proposed new business initiative] is secure, so we’re raising objectives to allowing it at all. That’s another issue where you see CISOs being told to move on, those cases where CISOs are seen as an impediment to business success, where they’re just raising objections rather than finding solutions.”

Missing something big

Although most CISOs don’t expect to be fired if a breach occurs, they can still expect trouble in the office if they overlook or miss red flags, Pescatore says. CISOs who have missed security holes in companies that their own organizations are set to acquire or CISOs who drastically underestimated the risks their own enterprises face in regards to known security threats are often sent packing. Even if the resulting problems are contained, the CEO and the board have lost confidence that their CISOs are up for the job, Pescatore explains.

Trailing your competitors

The executive team and board members have a chance to measure their security programs and its leadership when similar problems hit multiple organizations, Pescatore warns. So any CISO that trails the organization’s competitors or similar enterprises in restoring services and returning to normal will find that they’ll be called to account. “You’ll be getting fired because the company lost more than the competitors who were hit by the same issue,” he says.

Signing on to be the fall guy

A CISO who steps into the role at an enterprise where the position is pushed down a few levels on the org chart, and where the pay dramatically trails the other chief executives, should consider his or her days numbered, Hasib says. He says his research has found that those organizations want someone in the position solely to take the blame when something inevitably goes wrong.

“A lot of people don’t look at the org chart, but it’s the most critical determinate of how security is viewed; some organizations purposely hire someone to be the fall person,” Hasib says, explaining that where the CISO sits in the executive structure indicates whether the organization sees security as a business enabler or simply a cost center. A number of CISOs could be in this position; consider, for instance, that a 2019 survey of 209 CISOs by Forbes Insight and security software maker Fortinet found that 36% say an inadequate budget has a significant impact on their cybersecurity programs – with 18% saying that budgeting limits was their greatest constraint.

Allowing a hostile work environment

The numbers are bleak: According to the 2019 report, (ISC)² Cybersecurity Workforce Study: Women in Cybersecurity, women make up only about a quarter of the cybersecurity workforce. Meanwhile, the 2018 report Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, from (ISC)² and the International Consortium of Minority Cybersecurity Professionals (ICMCP), found minority representation within the cybersecurity profession stands at 26%, with racial and ethnic minorities tending to hold non-managerial positions. Pescatore says some security departments retain an unwelcoming culture. If that’s still the case for a CISO today, they can expect more CEOs and boards to seek improvement by changing the leadership at the top.

Failing to build the right team

No CISO can do it all, and those who try will find themselves overwhelmed by the work, endangering the organization’s security and hindering their own careers. “If they don’t surround themselves with strong people who have the knowledge to do the right thing, then they won’t succeed. So the CISO should be empowered to hire the right people,” says Hasib, author of Cybersecurity Leadership: Powering the Modern Organization.

Hasib says he still sees some CISOs overemphasizing technology-based security solutions rather than balancing technology with the process and people parts of the security triad. He and others say CISOs must prioritize building a top-notch team if they want to get qualified security professionals in these days of high demand. That shows their executive colleagues that they truly belong at the top leadership tier.

Related:

Copyright © 2019 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.