• United States




The economics and impact of bad CISO leadership

Jun 27, 20178 mins
CareersIT Leadership

Bad CISO leadership can be costly to a company, but even worse for your career

The global threat landscape for technology is changing and the demand for cybersecurity skills are soaring, but having great skills is not enough to solve future cybersecurity problems when it comes to leadership.

If chief information security officers (CISOs) are to counter daily cyber threats, having a team with the most amazing cybersecurity skills and resources does not matter without strong leadership. A poor leader cannot synthesize security operations, tool sets and resources when a team is not functioning at its best to counter cyber threats to an organization.

Strong leadership is crucial to counteract daily attacks from hackers, and if your leadership skills are weak, other CISOs are going to easily recruit your staff away to improve their cybersecurity program. The best leaders in cybersecurity don’t have employee retention issues because it is a competitive market and employees don’t have the career patience for lousy leadership. Often employees are willing to take a pay and title cut to escape poor leadership that can be emotionally disruptive outside of the workplace.

Unfortunately, there are many cases when an employee has to drag themselves out of the car in the company parking lot to earn a paycheck because they dread the leadership they have to face in the office on a daily basis. Poor leaders are always going to disappoint and let down employees every day often times because they are broken within themselves and didn’t make a long-term effort for self-improvement. Anyone can be a great leader, but you must make a significant time and resource commitment to become a great leader. Every strong leader knows to become a great leader, the work and training does not stop; it is a continuous “work in progress” for the remainder of your active career.

The cost of bad CISO leadership

How much does bad leadership cost companies? There are many studies on the internet, ranging from MIT Sloan Business School to the Center for American Progress. If we look at a security engineer, security analyst or security architect position, the salary band can be $80,000 to $110,000 based on experience and responsibilities. The average cost of departure was 21 percent of base salary. This equates to a $16,800 to $23,100 company loss when a cybersecurity employee leaves a company on top of a cybersecurity shortage.

The numbers get worse for directors and vice presidents. The numbers go over $50,000 very quickly because an executive contract may be in place to a plethora of other compensation mechanisms that may be in play. It pays to be an excellent leader because you are saving your company money, which is why strong leadership is paramount.

Ask yourself this question, have you ever enjoyed working for a bad boss or a jerk? If you recall your best career memories, you will always remember when you had an amazing job—probably because you worked for a great leader that groomed your career path, developed you, invested in you, and treated you with respect. If you think about your worst career memories, it’s the bad boss and the horrible things that were said or things you endured, and leaving your job was the best career choice you have made. Not a legacy or reputation for any CISO to relish.

Signs of a poor leader

Here are some tough questions to ask yourself to determine if you fit these telltale poor leadership signs:

  1. Complaining about the cybersecurity shortage and concerns existing staff are going to get “poached” from other companies offering higher salaries.
  2. Bragging about how many people that work “under” you from a hierarchical perspective.
  3. Super busy, not enough time to actually met every person working within the cybersecurity team, because the job demands are too high and you don’t have time for small talk.
  4. Eating lunch alone.
  5. The demand for your cybersecurity leadership is higher for external executive events but not within your own organization.
  6. Losing team members for higher salaries elsewhere or moving out of your department.
  7. Not being a member of the executive steering committee.
  8. You want to join a CISO advisory board, but nobody is approaching you, yet your peers are getting the CISO advisory opportunities.
  9. Prospective employees are not accepting job offers after meeting with your team or even you.
  10. People don’t approach you because you are not approachable leader.
  11. You are afraid to send employees to expensive conferences because they might leave the company shortly after attending.

A confident and successful CISO leader has nominal labor problems because cybersecurity employees want to work for great leaders that can provide them with a rewarding career. A CISO might lose a person every once in a great while for a variety of reasons, but it’s not because of poor leadership.

Traits of a good CISO leader

Here are some tips to make sure you are the path for good leadership:

  1. Give your employees, contractors and vendors a sense of purpose and take the time to explain why things are being done a certain way—it shows you value them and they are engaged.
  2. Collaborate with your peers, employees, contractors, vendors and C-suite to ask for ideas—even when you might already know the answers. A good leader always knows when to ask for help and “idea” validation through collaboration with others to build trust and credibility. Executives love to give opinions, and when feel they are heard, they feel valued—and you become a part of the core leadership team because they view you as a trusted peer.
  3. Invest the time to learn your employees. It does not matter if you have six or 200 employees across the globe, make the effort—even if it is for five minutes, make the time and effort! No excuses on this one.
  4. Have lunch with one of your team members or a peer in a different department.  You would be amazed at what you will learn and how you will have more ears and eyes to support your agenda—and also find out who is working against your department. Situational awareness is paramount to knowing what the hell is going on within and outside your department.
  5. Groom your employees by having them in some form of training or attending a conference.
  6. Reward employees with a simple “thank you” gift card by acknowledging them and the good work they are providing.
  7. Trust your employees to make decisions—even if it’s the wrong decision. It’s a learning and mentoring opportunity that builds loyalty to your leadership. Remember, you are a mentor and someone mentored you—pay it forward.
  8. Dress for the CISO role to influence. This means making sure your appearance is consistent with your personal and professional brand of leadership.
  9. Know how to listen to your team and talk less.
  10. Set the tone at the top, and be the good example for employees to emulate you—have you noticed when employees start using the same words that you use?
  11. Have a succession plan by developing your CISO replacement. There is no better legacy than to hand pick your successor and leading your legacy years after you leave the company.

If you think of your leadership abilities and skills on a scale one to 10, how would you rate yourself and how would your team members rate you? What is your target leadership level you are currently functioning at and what are you doing to raise that number?

Being a highly effective leader is all about bringing out the best of your team members to achieve company goals. It takes leadership failures and successes to develop leadership experience. Early in our careers, we start as managers that need to evolve into leaders and it takes years of practice, reading, coaching, and making good and bad decisions. With time, being a leader becomes natural and it looks easy to others, but deep down inside you, you know how hard you worked to be an excellent leader, and you have the battle scars to prove it.

CISO leadership is more important than ever, because the odds are stacked against companies for a data breach. The 2017 Cost of Data Breach Study just released by IBM/Ponemon Institute states the following:

“Two factors were used to determine the probability of a future data breach: the current data breach size and the organizations’ location. Based on this year’s research, we estimate an average probability of 27.7 percent that organizations in this study will have a material data breach in the next 24 months.”

This is a harsh reality check, and poor leadership may actually shorten this time period, hence why strong leadership can lead to better cyber hygiene and a rock-solid cybersecurity program that could counter these odds. Leadership matters, and your organization is counting on you to have a cybersecurity program that continues to improve, mature, increase with efficiency, automate more tasks, have higher accountability with your third-party vendors, and stay attune with were critical data lives within the organization.

In conclusion, live a life of substance, leave a legacy of your leadership for every life you have touched, make that lasting impression of what your leadership legacy will be. Remember, employees don’t leave companies; they leave bad leaders.


Todd Bell has become an international expert and leading speaker on preventing security breaches for new start-ups to Global Fortune 500 companies. As a CIO & CISO, Todd has made a global impact for safeguarding millions of consumers information around the globe by building new cyber programs to maturing existing programs.

Todd is also the architect & inventor of the Bell Security Enterprise Security Architecture method that streamlines cybersecurity controls as a virtual overlay onto an existing flat network architecture without having to move any existing systems, saving thousands of dollars and accelerates data protection with a low cybersecurity budget. The method is based on zero-trust model and adapted to co-exist with malware in an untrusted internal corporate network.

Todd is also the creator of "What Is Your Risk Number" to properly assign cybersecurity risk ratings that vary within an enterprise to have the balance of business needs and having proper cybersecurity controls.

The opinions expressed in this blog are those of Todd Bell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author