CISO job satisfaction: Finding meaning in the mission

The top security job is highly stressful and sometimes thankless, but it can also provide great satisfaction—especially for mission-driven CISOs.

spot itleadership cso hands on head by yuganov konstantin shutterstock 373650823 2400x1600 hero 3
Yuganov Konstantin / Shutterstock

Lena Smart makes the perfect pitch for being a CISO.

She talks up the multitude of good opportunities in the field and points to the plethora of interesting challenges that come with the role.

She speaks about the strong relationships she has forged as a CISO, and she readily discusses the high levels of trust that exist between her, her team, and the other executives.

She also likes that she can set a security strategy and know that the organization supports her as she does what’s needed to implement it.

Lena Smart, CISO, MongoDB MongoDB

Lena Smart, CISO, MongoDB

“The buck stops with me. I think that’s what gives me satisfaction,” says Smart, who in 2019 became the first CISO at MongoDB—her third chief security position.

Not surprisingly, Smart’s enthusiasm and professed love for her job isn’t universal among security leaders. The level of satisfaction vs. dissatisfaction varies from one survey to the next; some reports indicate that CISOs are overwhelmingly satisfied with their work, while others have uncovered some significant discontent.

CISO satisfaction: by the numbers

The 2020 Cybersecurity Professionals Salary, Skills and Stress Survey from the security tech company Exabeam found that 96% of respondents were happy with their role and responsibilities and 87% were pleased with their salary and earnings. The 2020 CISO Compensation and Budget Benchmark Study from IANS Research and Caldwell Partners’ Cyber Security Practice also found that the vast majority of CISOs are satisfied in their positions.

On the flip side, however, the 2021 Voice of the CISO Report from security tech company Proofpoint found that 57% of CISOs believed that the expectations on their role were excessive and nearly half didn’t believe that their organizations positioned them to succeed.

But those reports are just a start to the narrative, casting a spotlight on what makes the position exciting and fulfilling or, conversely, what makes it frustrating and unsatisfying—and how each side of that divide can positively or negatively impact an organization’s ability to secure itself and attract the talent needed to do so.

Of course, there are happy and unhappy workers in any role at all levels and for all manner of reasons, but there are some commonalities in what brings CISOs satisfaction that are indeed informative, both about the role and the people who are drawn to it.

A sense of purpose

“I feel like security in a way is a calling. If you find your calling and you find a place where you fit in, there’s nothing better than that,” says George Finney, CISO at Southern Methodist University in Dallas, founder and CEO of Well Aware Security and author of Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future.

George Finney, CISO, Southern Methodist University Southern Methodist University

George Finney, CISO, Southern Methodist University

For Finney, like many security leaders and staff, the variety of challenges that the job brings his way is part of what keeps him engaged in the role. “It’s something new every day; that is so exciting—I hear that from every security person, too—and the fact that we’re not limited to one part of the business, and we work with everybody,” Finney says. And, like other successful leaders, Finney enjoys the people-oriented parts of the job: networking with other CISOs and being part of the cybersecurity community as well as helping his staffers grow and move up the security ranks. But one of the most significant drivers of job satisfaction for Finney and other CISOs we spoke with is how their role makes a difference.

“I love being able to take apart a problem and find a good solution for it and finding those real solutions that will actually work to prevent bad things from happening,” Finney says.

Veteran security leader Ryan Gurney says the ability “to mitigate the risk down for the company” directly correlated to his job satisfaction. “I always felt that I had what I needed, and I was able to do what I needed to do,” he says.

Indeed, the Proofpoint survey finds that having a clear sense of purpose in helping society (44%) and responsibility of crafting a response using technology, people and/or processes to address evolving risk (44%) are top reasons for CISO job satisfaction.

Finney speaks directly to those points, saying “I want to be in a role where I can make a difference. That’s what motivates me to get out of the bed in the morning.”

Leaving their mark

For Andy Ellis, a former CSO, a 2021 inductee into CSOonline's CSO Hall of Fame, and now operating partner at YL Ventures, the mission is key.

“The mission was the most satisfying part certainly for me and I have anecdotal evidence that it is the same for others, that you can see how you can change the world,” he says. “I think that’s what everyone wants: They want to know they left a mark on the world even if no one else knows.”

Andy Ellis, operating partner, YL Ventures YL Ventures

Andy Ellis, operating partner, YL Ventures

The CISO position is one of the few roles that actually allows for such tangible results, Ellis adds.

“When those bad things don’t happen to your organization, and the reason they didn’t is because you made a change [in the security posture], that’s very fulfilling,” he says.

In fact, CISO surveys as well as interviews with security leaders turn up general themes that correspond to Ellis’ observation. The findings indicate that those CISOs who feel satisfied in their roles and with their work are those who have the authority to set strategy; the autonomy, resources, and teams to pursue their objectives in the ways they believe are best; and the trust of others throughout the organization to deliver on objectives.

“That’s the key thing for me to look for: alignment with what you think your job is and what the company thinks your job is,” Ellis says.

Seeds of discontent

Of course, nearly everyone, including even the most satisfied CISOs, have parts of their jobs they dislike and have weathered significant, sometime unpleasant issues throughout their careers. They’ve had, for example, frustrating disputes with colleagues about investments and strategies. Some have had to contend with breaches. But on the whole they say they’ve been satisfied with their ability to successfully do their jobs.

That contrasts with the CISOs who in studies and in shared anecdotes express ongoing dissatisfaction and frustration.

The IANS survey listed the top three causes for CISO dissatisfaction as insufficient budget, lack of organizational support, and inadequate career development.

Meanwhile, the CISO Stress Report: Life inside the Perimeter, One Year On from U.K. domain-name registrar Nominet found that 88% of CISOs say they remain moderately or highly stressed with nearly all CISOs—some 95%—working more than their contracted hours. Moreover, 48% said the excessive stress impacted their mental health and 35% said it impacted their physical health.

Security leaders say the CISOs they know who are most unhappy in their jobs are those who aren’t seen as executive peers within their organizations, who must fight for needed resources, and who still don’t have the support they require to adequately secure the enterprise.

“Many aren’t in the board room like the other C-levels are, and I do hear this frustration from many that they’re not getting the support of management,” says Gurney, who formerly led security at two tech firms and is now CISO-in-residence at YL Ventures.

That in turn can limit a CISO’s ability, or willingness, to tolerate the continuous stresses of the job—its 24/7 onslaught of cyberattacks, the sometimes thankless nature of the position, the struggles to recruit enough qualified talent.

“They expect they’re part of the decision-making process, and they’re not. They’re not necessarily aligned with the CEO and the board, so they’re in the middle of this tension,” Ellis says.

That leads to more than a dissatisfied CISO; it can lead to more frequent turnover in the role at the organization, and ultimately it can translate to a suboptimal security posture.

Ellis and others say they haven’t seen CISOs shirk their duties or disengage in such situations. But they note that such CISOs face more challenges in building an effective and sustainable security operation and have greater hurdles in attracting and retaining top talent due to the misalignment and overall lack of support.

However, security leaders stress that CISOs aren’t powerless even in those situations. Rather, they can work to cultivate better relationships with their executive colleagues; advocate for inclusion in strategic planning and decision-making conversations; and learn to more effectively communicate security needs in terms of business risks.

“You need to have a good story, and it needs to be understandable and relatable,” Smart says.

Finney has a similar thought, saying: “When there is disagreement, I have to wonder if I did my job well enough to tell the story, because if they’re getting the picture, then my job should be easy.”

Experienced security leaders also say dissatisfied CISOs may need to engage in some introspection and consider whether they really want the executive role; whether they’d be more satisfied in other positions, such as ones that leverage their technical skills rather than their managerial ones; or whether they’re in the right position but working at the wrong company.

After all, they add, the high demand for security experts means switching jobs is always an option. There’s no reason to stay somewhere that’s not the right fit.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations