Stephanie Benoit-Kurtz spent much of her career taking jobs where the priority is crisis cleanup.\u201cI\u2019m brought in when organizations don\u2019t have what they need and they need someone to figure that out,\u201d she says. That means assessing cybersecurity capabilities, pinpointing problems, and closing gaps. The work makes her, in her words, \u201ca nicely paid janitor.\u201dBenoit-Kurtz and other security experts like her have plenty of opportunities for work, with high-profile breaches and hacks pushing CEOs and boards to hire new leadership, hoping that the top-level switch-up will set their organizations on a better course in the aftermath of a disaster.SolarWinds, for example, hired former CISA chief Chris Krebs and former Facebook CSO Alex Stamos as consultants in early 2021, shortly after the discovery that Russian hackers had compromised the company\u2019s software and used it as a pathway to launch other attacks.Twitter hired Rinki Sethi as its new CISO in September 2020, following the high-profile breach the social networking site had suffered in July.And a few years earlier, in 2017, Equifax took similar action, naming vice president of IT Russ Ayers as interim CISO before hiring veteran CISO Jamil Farshchi.They\u2019re all part of a niche class of CISOs who take on the difficult challenges that come in such crisis-fueled environments.Leading through crisis\u201cCrisis CISOs\u2014people who have been there, done that\u2014are very much in demand,\u201d says Paul Wallenberg, director of technology services at the recruiting firm LaSalle Network.Enterprise executives often want new security leadership in the aftermath of a significant incident, believing that their organizations will benefit from the particular skills and the fresh perspective that a new appointee will bring, say Wallenberg and other experts.And in many cases those executives are right: They do indeed gain something by bringing on new security chiefs.\u201cYou see in history organizations where there was an incident or some significant regulatory action bringing in new CISOs, and some have made a night-and-day difference,\u201d says Neil Daswani, a veteran cyber security leader and co-author of Big Breaches: Cybersecurity Lessons for Everyone.But Daswani and others don\u2019t discount incumbent CISOs, noting that they, too, can add value in crises. In fact, in a world where security breaches are considered a matter of when, not if, management advisors say all CISOs should be developing the skills and temperament it takes to lead through a crisis to ensure that, one, their organizations can successfully navigate the post-breach challenges and, two, that their own careers can weather the storm.\u201cThere is the need for due diligence after an incident to determine whether there were gaps, and there should be repercussions; everyone should be accountable for the job they\u2019re hired to do,\u201d says Deborah Golden, Deloitte Risk & Financial Advisory\u2019s US Cyber and Strategic Risk leader. \u201cBut it\u2019s not always a clear-cut decision on [whether to bring in a new CISO]. What\u2019s most important is how quickly the CISO and other executives can respond.\u201dAfter the fallPublicly traded companies that suffer a breach are most likely to hire new CISOs, and they typically look for security leaders who have experience handling a crisis, Wallenberg says.\u201cThese companies are changing faces no matter what. Whether it\u2019s a placebo effect or not, it\u2019s a way of alleviating concerns going forward,\u201d he adds.Government agencies likewise have a history of dismissing presiding CISOs during crises and appointing a new CISOs to take over, at least in part because \u201c[t]here\u2019s often blame that needs to be laid at someone\u2019s feet,\u201d Wallenberg says.Private organizations often seek out new CISOs at such times, too, according to industry insiders, although they frequently make the switch quietly to avoid bringing further attention to any security concerns.CEOs have good reasons for wanting to bring in a new CISO to handle a crisis, Daswani and others say.To start, a new CISO generally brings to the position needed skills\u2014whether deep industry knowledge to appropriately align controls to risks or experience with new zero trust security protocols\u2014that the incumbent CISO lacked in ways that contributed to the incident.\u201cYou may need to bring someone on who can see what their predecessor couldn\u2019t see or help the leadership see what they couldn\u2019t understand previously,\u201d says Daswani, co-director of the Stanford Advanced Security Program and the former CISO of Lifelock and then Symantec\u2019s consumer business unit.The new CISO, for example, may be more capable of identifying gaps and persuading the C-suite to make the investments needed to close those gaps, he explains.Furthermore, crisis CISOs can help post-incident by signaling to the security department and to the enterprise overall that leadership is serious about making changes and improvements, Wallenberg says.\u201cIt\u2019s not just the CISO who adjusts when a crisis happens; the whole security department and the whole organization does as well,\u201d he explains. \u201cCompanies have to make big shifts.\u201dThe case for incumbentsTo be fair, a CISO hired during a crisis often has an advantage in advancing his or her agenda. First, the new CISO won\u2019t have to convince others that security needs attention, as that fact is already evident thanks to the incident that took place. Second, the rest of the C-suite is eager to demonstrate a commitment to security initiatives.\u201cWhen there\u2019s a new security leader brought in, I think everyone is going to be open-minded and have open ears again,\u201d Daswani says.Despite the benefits that a crisis CISO can bring, Daswani says not all post-incident scenarios call for such leaders.Daswani says chief executives and their C-suite leaders need to consider the incident\u2019s nature and severity, early indicators of how and why it happened, and the existing CISO\u2019s capabilities when determining whether to keep or dismiss the incumbent CISO.\u201cA company hit by a ransomware attack, which maybe means it needs a better anti-malware suite and a better backup strategy, could be the kind of incident best dealt with in a very straightforward way with no need to change leaders,\u201d Daswani says. \u201cIt may be better to keep the security leader in place with a goal of reducing risk quarter by quarter.\u201dOn the other hand, an organization that experienced a persistent attack from a nation-state hacker could very well need a more seasoned CISO than the one they had.\u201cThose are very different kinds of incidents, very different kind of threats,\u201d Daswani says.It\u2019s important to note, too, that security leaders say incumbent CISOs provide their own value in a crisis.Assuming they\u2019re qualified, they know the technology, the business processes and the industry as well as the threats and the risks that are unique to their own organization.Given all that, they could possibly identify the root causes of the security incident more quickly than even a CISO brought in specific for that task.Chaos junkies neededStill, industry leaders say that not all CISOs have the full range of business, leadership, and security skills required to work through that critical post-incident period, when there\u2019s a spotlight on the enterprise and tensions run high.\u201cWe don\u2019t want someone always complaining about the house being on fire; that\u2019s not going to help,\u201d Daswani says.Daswani has taken on the post-incident CISO job during his career, and he says the job requires someone who will take charge yet demonstrate empathy to those impacted by the attack.He says organizations benefit from someone who has had prior experience working through a security event.Benoit-Kurtz says she, too, has learned from experience what traits are needed to succeed as a crisis CISO.There\u2019s the ability to work through the turmoil\u2014a trait she believes most CISOs in general already have. \u201cIn order to be in cybersecurity, you really have to be a chaos junkie because every day is something new that you didn\u2019t expect,\u201d says Benoit-Kurtz, who is currently the director of cybersecurity at Station Casinos and lead faculty chair for cybersecurity programs at the University of Phoenix.They must be able to formulate a strong forward-looking security strategy, articulate it and then advocate for it\u2014forcefully if needed. \u201cThe organization needs to have someone willing to challenge the other executives, because you can\u2019t throw Band-Aids on [the problems] and be done,\u201d she says.At the same time, the crisis CISO needs to be calm in that chaos and possess the ability to communicate in ways that elicit in others the appropriate level of concern; they should know how to talk about security without alarming others while still impressing the need for remediations.\u201cYou have to have astute communication skills to calm nerves and navigate the crisis calmly. And you have to be a bit of a politician. You have to be able to navigate a lot of stakeholder relationships,\u201d Wallenberg says, pointing out that these CISOs often work closely with regulators and lawyers to handle the government probes and lawsuits that often follow cyberattacks.Additionally, such CISOs must have the technical chops, the security expertise, and the cultural fit.\u201cThe job can be adversarial and tough because you\u2019re telling vendors and the organization that the environment isn\u2019t good, so you need someone who has the tenacity to stay tough but the skill to be build consensus,\u201d Benoit-Kurtz adds.These CISOs must also be skilled at quickly assessing workers\u2019 skills and bring together those with the needed capabilities, a high level of commitment, and a willingness to speak up. \u201cYou need people who will challenge traditional approaches. So CISOs need to have team members who will challenge them, and the CISO needs to be secure enough to deal with that,\u201d Benoit-Kurtz says.A growth opportunityCISOs experienced in crises management and willing to take on the task are in a growth profession.But, then again, given the number of cyberattacks happening, every CISO will have those growth opportunities in the years ahead. Experts say many CISOs will indeed find themselves handling a significant incident at some point in their careers; some will handle more than one\u2014even without seeking out such positions.Golden has faith they\u2019ll rise to the occasion.\u201cI do think that the majority of security leaders are well-suited to handle a crisis,\u201d she says. \u201cBut you have to build that muscle; you have to train it.\u201dShe says CISOs should prep for such events, perfecting the skills they\u2019ll need as they build the incident response plans they\u2019re already expected to develop as part of their regular duties.\u201cIt\u2019s understanding what the pressures are and knowing how to handle them in a crisis,\u201d Golden adds, noting that wargaming is particularly effective at honing crisis management skills.Daswani agrees, saying that CISOs should be studying the history of breaches and hacks as well as their root causes so they can incorporate that knowledge into their security plans to reduce the probability of an incident and the severity of a successful attack and up their chances of a quick, full recovery.