Between stress, overwork and constant new threats, Chief Information Security Officers (CISOs) face countless challenges. And the security of nations, businesses and society relies on their doing everything they can to rise to the challenges.
Growing complex threats and the rapid shift to remote work complicate an already expansive role. Today’s CISO needs technical skill and the ability to respond fast to reputation-damaging breaches like ransomware attacks.
High stress, low retention
Many CISOs haven’t been in their role long. Research by Cybersecurity Ventures in 2020 found nearly one in four (24 percent) of CISOs in US Fortune 500 companies had been in their job just a year. A further 16 percent had been in post for only two years.
There’s no single reason CISOs move around more than other C-suite executives, but higher stress probably plays a part. UK domain registry Nominet’s 2020 CISO Stress Report found 88 percent – around nine in 10 – CISOs said they were “moderately” or “tremendously” stressed. The same report found average CISO time in post was just two years and two months.
Seasoned CISO Matt White, once fashion brand Chanel’s Global Head of Information Security Strategy and co-founder of software-as-a-service platform XaaS, thinks CISOs’ biggest challenge is lack of understanding from companies and boards.
Boards and companies generally don’t understand the risk and likelihood of a cyber incident, what it will mean and what they must do to prevent or respond.
Matt White, Co-founder, XaaS software-as-a-service platform
CISOs have an uphill battle – under-resourced with budget and staff while battling red tape and bureaucracy.
Relationships make a fulfilling role
What can CISOs do to find a role where they feel fulfilled? White suggests considering what a potential employer wants from a CISO. Do they want change or someone to continue the status quo? Although it may be hard to assess before joining, a CISO should investigate how well the organization has established and resourced its cybersecurity.
White adds, “It’s paramount to understanding the type of company, its level of maturity and how supportive the board may be of changes.”
If the last CISO left because they didn’t have the financial resources or headcount for a good cyber defense strategy, a new CISO should make sure there’s since been change.
Kaspersky research, in association with Longitude, a Financial Times company, found a closer relationship between the C-suite and cybersecurity teams leads to better security outcomes. Over a quarter (26 percent) of survey respondents said they believed “strong integration between the C-suite and cybersecurity teams will be very important in the next two years.” This group also reported they were better prepared to deal with the impact of cyberattacks.
It’s important senior managers get involved in elements of cybersecurity. If CISOs foster strong relationships with C-suite colleagues, they can help those executives better understand challenges facing IT security.
Continuous skill development
With new threats and cyber challenges cropping up daily, CISOs must keep their skills and technical knowledge up-to-date. But their role also demands a range of ‘soft skills.’
“CISOs, like all C-suite roles, need continuous development, not just with technical skills,” says Naveen Vasudeva, Founder and CEO of United Arab Emirates-based CyberTree Paradox, a cybersecurity firm focused on small-to-medium enterprises. “The CISO must be a diplomat, skilled in communicating technical things simply, so others can understand and take action.”
To thrive in their career and ensure a long tenure at companies they enjoy working for, CISOs should build their skill base. This will mean they’re as prepared as possible for challenges that come their way.
A CISO needs good negotiation skills, as they deal with multiple sets of internal and external stakeholders and all levels of the business.
Naveen Vasudeva, Founder and CEO, CyberTree Paradox
But if a CISO finds they’re completely exhausted and can’t perform their job because of lack of company support, the best option may be to seek greener pastures.
Strong teams are everything
C-suite executives have a vital role in improving CISO working conditions and retention. Not all C-suite members can gain a comprehensive understanding of cybersecurity. Those who do develop that understanding can show inclusive leadership and better support the CISO.
A CISO is only as effective as the team they lead. Highly skilled cyber professionals are in hot demand, hard to retain in a competitive market. A Cybersecurity Ventures 2020 study found unfilled cybersecurity jobs grew 350 percent in the eight years to 2021. A CISO may enter a business and find their staff don’t have the right skills, making it hard to succeed in their role.
Vasudeva thinks selecting the right team is the difference between success and failure. “You can’t do it all, and you shouldn’t. Pick skills in your team you can rely on and help them develop their next moves, so you can develop yours. It’s about leadership, not management – there’s a massive difference.”
Short tenure hurts CISOs and companies, so everyone involved should address the issue. Kaspersky’s 2020 global business survey backs this up, with 38 percent of respondents saying lack of consistent management in IT security is a challenge. Being a CISO for just a year or two isn’t enough time to make a real difference or embark on transformational projects, let alone change corporate culture.
There is no one way a CISO can fully protect themselves from short tenure, but if they focus on enhancing their skills, build relationships with executives and create a strong team, they will likely find themselves in a strong position. C-suite colleagues have an important role to play in retaining CISOs too – raise your cybersecurity understanding so your CISO can rely on your support.