CISOs, like any other senior executive, face risks every day. Because cyber security leaders are accountable for safeguarding some of their organizations\u2019 most valuable assets, the stakes are high. A CISO who inadequately prepares for any one of those risks or manages them badly will probably be fired, as has been the case in recent high-profile incidents.The following are actions \u2014 or inactions \u2014 that clearly indicate failures that are fireable offenses for CISOs.1. Failure to prevent a data breach with significant financial or reputational damageAs the recent Equifax and Yahoo breaches show, companies can suffer severe damage to their reputations from such incidents. When a monumental security breach leads to financial losses and a high-level of negative publicity, it\u2019s difficult for CISOs not to take the fall.A breach will most likely result in a firing if the enterprise can prove that the CISO was remiss in installing the latest patches or failed to update the organization\u2019s data environment to deal with the latest threats by installing the appropriate firewalls in the data center, at remote offices, or at the network perimeter, says Laura DiDio, principal analyst at Information Technology Intelligence Consulting (ITIC).\u201cSometimes firing a CISO in this scenario is purely for optics;\u00a0a company has to show the public they are taking action,\u201d says Sean Curran, senior director and national leader of consulting firm West Monroe Partners' cyber security practice. \u201cOther times, a CISO was actually negligent and unprepared. They did not have a solid plan to respond to and recover from incidents, a plan that would have limited the impact. We find that too often the focus is on protection only.\u201dA data breach \u201cis typically the most publicized firing because a data breach makes the news and can affect so many people,\u201d says Zach Burns, executive recruiter at security search firm Stratus Search. \u201cIn an organization, a CISO should take responsibility for every person that he or she hires. Therefore, termination can take effect even if the data breach was not directly attributable to the CISO.\u201d2. Covering up a breachFootball coaches tell players not to make a bad play worse. Breaches are bad plays, but trying to hide them is a far greater sin. It suggests that the organization does not take its responsibilities seriously and is unwilling to properly protect its customers, employees, and partners.The recent revelation that Uber and its CSO kept a large breach secret for a year should be a wake-up call for all senior security executives. The cover-up cost the Uber CSO his job, and it\u2019s put the company in a very hot legal spotlight that could do permanent damage to its reputation. That\u2019s not even considering the financial liability of exposing data on 57 million individuals. Uber\u2019s attempt to hide the event makes them appear more guilty of negligence.\u201cHonesty is always the best policy, particularly with respect to enterprise security,\u201d says DiDio. Covering up a security breach \u2013 even if it is at the behest of a higher up C-level executive \u2013 will destroy the organization\u2019s trust in the individual. Additionally, it will have a domino effect, decimating the confidence of the corporate enterprise\u2019s end users, external customers, business partners and suppliers \u2013 because it potentially compromises the security of their confidential data.\u201dDepending on the situation, it may be extremely difficult for a CISO to find a new job as a security professional, DiDio adds. The circumstances that led up to the cover-up, the amount of damage suffered, and how public the breach was are relevant factors. \u201cIf it was a small breach that was quickly contained with no lost, stolen, or damaged data, and if the CISO was directed by a CEO, COO, or CIO to keep quiet, then his or her chances of finding a comparable position are much better,\u201d she says.In a worse scenario, it may still be possible for a CISO to rebuild his or her reputation. \u201cAny prospective new employers will be interested in crucial details like the length of the CISO\u2019s employment, his or her work history, or the chain of command. A CISO who\u2019s been on the job for only a few weeks or a month or two can make a strong argument for the fact that he or she was still familiarizing themselves with the company\u2019s security and had little or no political clout about upper management\u2019s decision to cover things up. This argument would be further strengthened if the disgraced CISO had a heretofore unblemished work history or if they were younger and this was their first CISO position,\u201d says DiDio.3. Taking on too much responsibility for risk and not communicating the risk to othersCISOs who assume all the responsibility for the organization regarding decisions on risk put their jobs at risk. In this case the CISO defines what the company will and will not tolerate from a security, risk and compliance standpoint\u2014rather than being the facilitator of communication, Curran says.\u201cToo many security people think they shoulder the burden for the organization and that the \u2018technical\u2019 knowledge is beyond the business,\u201d Curran says. \u201cAs a result, they do not communicate the risk at all, effectively stifling management\u2019s ability to decide how much investment they should make to address the risk.\u201dA CISO \u201cmust be able to articulate risk and security solutions to a board or senior executives who are not familiar with security, so they can make informed decisions on risk tolerance,\u201d Curran says.\u201d By doing this, the CISO takes the burden of being solely responsible for any security gaps off their back.\u201dThe CISO must work across all departments to have an effective security strategy, Burns says.\u00a0\u201cIt is critical that this person can communicate effectively with senior leadership and other members of the organization. Failure to communicate effectively across the organization can result in poor performance of not only the team members under the CISO, but also adjacent departments.\u201d4. Failure to achieve or maintain complianceBased on the nature of the company and the data that needs protecting, CISOs must show due diligence in regard to compliance and adherence to state and federal laws. \u201cThere must be reporting systems in place where the CISO is able to confirm all systems are property updated and protected,\u201d says Robert Siciliano, cyber security expert with Hotspot Shield.Many companies must comply with regulatory obligations to even bid on certain contracts or provide goods or services to their customers. \u201cIf they do not get certified, there is a significant monetary impact to the company\u2019s bottom line,\u201d Curran says.If they do not maintain compliance and an internal or external auditor finds a large gap, that can lead to unplanned and unbudgeted remediation costs that force the company to deal with last year\u2019s issues rather than improving on the future. \u201cThis spiral then grows harder to escape, unless [CISOs] are change agents, which is rarely the case or they wouldn\u2019t be in this position,\u201d Curran says.Compliance, particularly in the digital age where networks are increasingly interconnected and businesses are sharing data with their customers, suppliers or business partners \u201cis a very big deal,\u201d DiDio says. \u201cCompliance regulations are becoming ever more stringent, complex and numerous with each passing month.\u201dRegulations vary according to industry, state, country and other factors, and it is typically the job of the CISO and other security and IT leaders to work with in-house attorneys or external legal experts to ensure that their organizations comply with regulatory compliance laws, DiDio says.5. Unprofessional conduct\u00a0As with any other type of job role, firing could result from unprofessional conduct by the CISO. It could also happen if an employee who works directly for the CISO acts unprofessionally. \u201cIf the CISO fails to correct and address inappropriate behavior, such as sexual harassment, this can lead to the termination of the CISO,\u201d Burns says.Unprofessional behavior can include actions such as inappropriate tweeting or questionable opinions expressed on social media. \u201cThe CISO is a highly visible member of the organization and should be careful when posting opinions publicly,\u201d Burns says. \u201cAny controversial opinions expressed by the CISO can reflect poorly on the company and can result in termination.\u201d6. Failure to deliver reliability and uptime\u201cTime is money,\u201d DiDio says. \u201cSystems, networks and connectivity devices are subject to failure. If the downtime persists for any significant length of time, it can be expensive in terms of monetary losses. It can disrupt operations, decrease worker productivity and negatively impact the organization\u2019s business partners, customers and suppliers.\u201cA security outage of any significant duration can also be a PR nightmare and damage the company\u2019s reputation, causing lost business,\u201d DiDio says. \u201cReliability and uptime go hand in hand with a comprehensive, detailed backup and disaster recovery plan that also includes an internal operational level agreement that designates a chain of command in the event of any type of service disruption.\u201dEvery organization should have a disaster recovery plan that includes an itemized list of who to contact at vendor organizations, cloud and third-party service providers, DiDio says. \u201cThe CISO should also know what the company\u2019s contracts stipulate as the response time from vendors, cloud, and third-party service providers to respond to and thwart security incidents and track down the hackers,\u201d she says.