• United States



Bob Violino
Contributing writer

6 missteps that could cost CISOs their jobs

Nov 21, 20178 mins
CareersData and Information SecurityData Breach

Sure, a big preventable breach might easily cost a CISO his or her job. A few less obvious blunders could do the same.

chair spotlight
Credit: Thinkstock

CISOs, like any other senior executive, face risks every day. Because cyber security leaders are accountable for safeguarding some of their organizations’ most valuable assets, the stakes are high. A CISO who inadequately prepares for any one of those risks or manages them badly will probably be fired, as has been the case in recent high-profile incidents.

The following are actions — or inactions — that clearly indicate failures that are fireable offenses for CISOs.

1. Failure to prevent a data breach with significant financial or reputational damage

As the recent Equifax and Yahoo breaches show, companies can suffer severe damage to their reputations from such incidents. When a monumental security breach leads to financial losses and a high-level of negative publicity, it’s difficult for CISOs not to take the fall.

A breach will most likely result in a firing if the enterprise can prove that the CISO was remiss in installing the latest patches or failed to update the organization’s data environment to deal with the latest threats by installing the appropriate firewalls in the data center, at remote offices, or at the network perimeter, says Laura DiDio, principal analyst at Information Technology Intelligence Consulting (ITIC).

“Sometimes firing a CISO in this scenario is purely for optics; a company has to show the public they are taking action,” says Sean Curran, senior director and national leader of consulting firm West Monroe Partners’ cyber security practice. “Other times, a CISO was actually negligent and unprepared. They did not have a solid plan to respond to and recover from incidents, a plan that would have limited the impact. We find that too often the focus is on protection only.”

A data breach “is typically the most publicized firing because a data breach makes the news and can affect so many people,” says Zach Burns, executive recruiter at security search firm Stratus Search. “In an organization, a CISO should take responsibility for every person that he or she hires. Therefore, termination can take effect even if the data breach was not directly attributable to the CISO.”

2. Covering up a breach

Football coaches tell players not to make a bad play worse. Breaches are bad plays, but trying to hide them is a far greater sin. It suggests that the organization does not take its responsibilities seriously and is unwilling to properly protect its customers, employees, and partners.

The recent revelation that Uber and its CSO kept a large breach secret for a year should be a wake-up call for all senior security executives. The cover-up cost the Uber CSO his job, and it’s put the company in a very hot legal spotlight that could do permanent damage to its reputation. That’s not even considering the financial liability of exposing data on 57 million individuals. Uber’s attempt to hide the event makes them appear more guilty of negligence.

“Honesty is always the best policy, particularly with respect to enterprise security,” says DiDio. Covering up a security breach – even if it is at the behest of a higher up C-level executive – will destroy the organization’s trust in the individual. Additionally, it will have a domino effect, decimating the confidence of the corporate enterprise’s end users, external customers, business partners and suppliers – because it potentially compromises the security of their confidential data.”

Depending on the situation, it may be extremely difficult for a CISO to find a new job as a security professional, DiDio adds. The circumstances that led up to the cover-up, the amount of damage suffered, and how public the breach was are relevant factors. “If it was a small breach that was quickly contained with no lost, stolen, or damaged data, and if the CISO was directed by a CEO, COO, or CIO to keep quiet, then his or her chances of finding a comparable position are much better,” she says.

In a worse scenario, it may still be possible for a CISO to rebuild his or her reputation. “Any prospective new employers will be interested in crucial details like the length of the CISO’s employment, his or her work history, or the chain of command. A CISO who’s been on the job for only a few weeks or a month or two can make a strong argument for the fact that he or she was still familiarizing themselves with the company’s security and had little or no political clout about upper management’s decision to cover things up. This argument would be further strengthened if the disgraced CISO had a heretofore unblemished work history or if they were younger and this was their first CISO position,” says DiDio.

3. Taking on too much responsibility for risk and not communicating the risk to others

CISOs who assume all the responsibility for the organization regarding decisions on risk put their jobs at risk. In this case the CISO defines what the company will and will not tolerate from a security, risk and compliance standpoint—rather than being the facilitator of communication, Curran says.

“Too many security people think they shoulder the burden for the organization and that the ‘technical’ knowledge is beyond the business,” Curran says. “As a result, they do not communicate the risk at all, effectively stifling management’s ability to decide how much investment they should make to address the risk.”

A CISO “must be able to articulate risk and security solutions to a board or senior executives who are not familiar with security, so they can make informed decisions on risk tolerance,” Curran says.” By doing this, the CISO takes the burden of being solely responsible for any security gaps off their back.”

The CISO must work across all departments to have an effective security strategy, Burns says. “It is critical that this person can communicate effectively with senior leadership and other members of the organization. Failure to communicate effectively across the organization can result in poor performance of not only the team members under the CISO, but also adjacent departments.”

4. Failure to achieve or maintain compliance

Based on the nature of the company and the data that needs protecting, CISOs must show due diligence in regard to compliance and adherence to state and federal laws. “There must be reporting systems in place where the CISO is able to confirm all systems are property updated and protected,” says Robert Siciliano, cyber security expert with Hotspot Shield.

Many companies must comply with regulatory obligations to even bid on certain contracts or provide goods or services to their customers. “If they do not get certified, there is a significant monetary impact to the company’s bottom line,” Curran says.

If they do not maintain compliance and an internal or external auditor finds a large gap, that can lead to unplanned and unbudgeted remediation costs that force the company to deal with last year’s issues rather than improving on the future. “This spiral then grows harder to escape, unless [CISOs] are change agents, which is rarely the case or they wouldn’t be in this position,” Curran says.

Compliance, particularly in the digital age where networks are increasingly interconnected and businesses are sharing data with their customers, suppliers or business partners “is a very big deal,” DiDio says. “Compliance regulations are becoming ever more stringent, complex and numerous with each passing month.”

Regulations vary according to industry, state, country and other factors, and it is typically the job of the CISO and other security and IT leaders to work with in-house attorneys or external legal experts to ensure that their organizations comply with regulatory compliance laws, DiDio says.

5. Unprofessional conduct 

As with any other type of job role, firing could result from unprofessional conduct by the CISO. It could also happen if an employee who works directly for the CISO acts unprofessionally. “If the CISO fails to correct and address inappropriate behavior, such as sexual harassment, this can lead to the termination of the CISO,” Burns says.

Unprofessional behavior can include actions such as inappropriate tweeting or questionable opinions expressed on social media. “The CISO is a highly visible member of the organization and should be careful when posting opinions publicly,” Burns says. “Any controversial opinions expressed by the CISO can reflect poorly on the company and can result in termination.”

6. Failure to deliver reliability and uptime

“Time is money,” DiDio says. “Systems, networks and connectivity devices are subject to failure. If the downtime persists for any significant length of time, it can be expensive in terms of monetary losses. It can disrupt operations, decrease worker productivity and negatively impact the organization’s business partners, customers and suppliers.

“A security outage of any significant duration can also be a PR nightmare and damage the company’s reputation, causing lost business,” DiDio says. “Reliability and uptime go hand in hand with a comprehensive, detailed backup and disaster recovery plan that also includes an internal operational level agreement that designates a chain of command in the event of any type of service disruption.”

Every organization should have a disaster recovery plan that includes an itemized list of who to contact at vendor organizations, cloud and third-party service providers, DiDio says. “The CISO should also know what the company’s contracts stipulate as the response time from vendors, cloud, and third-party service providers to respond to and thwart security incidents and track down the hackers,” she says.