The Ever-Spinning CISO Carousel: Implications for Enterprise Cybersecurity

CISO Strategy: The CISO Carousel and its Effect on Enterprise Cybersecurity

Introduction

The average tenure of a Chief Information Security Officer (CISO) is said to sit between 18 to 24 months, which is barely enough time to make a meaningful impact. The constant turnover of CISOs can have a detrimental effect on enterprise cybersecurity, as major security initiatives or implementations may not be completed before a new CISO takes over. This article will explore the reasons for the high churn rate of CISOs and discuss the implications it has on cybersecurity.

Reasons for CISO Churn

Cause #1: The Scapegoat Effect

One reason for the high turnover rate of CISOs is the potential for them to be used as scapegoats for security incidents. They may be blamed for breaches that occur under their watch, even if they were trying to do the right thing amidst contradictory pressures. The Joe Sullivan case at Uber is a prime example of this. Sullivan, the former CISO of Uber, was prosecuted and convicted for his handling of a security incident. However, many in the security industry do not consider his actions to be unethical. This scapegoat effect is a real threat to CISOs and a major cause of churn.

Cause #2: Lack of Board Support

Another reason for the high churn rate of CISOs is the lack of support and recognition from the board. Many CISOs feel undervalued and not involved in the wider business strategy. A survey found that only 28% of UK security decision makers felt their role was valued, and only 9% said cybersecurity was always in the top three priorities on boardroom agendas. This lack of board support leads to frustration and CISOs seeking new positions where they can receive the support and resources needed to implement effective cybersecurity controls.

Cause #3: Stress and Burnout

Stress and burnout are significant factors contributing to CISO churn. The cumulative mental and emotional debilitation caused by multiple stressors can lead to physical and/or mental collapse. CISOs may need to take extended time off, move to less stressful positions, or leave the industry altogether. Burnout can be caused by the high expectations and accountability associated with the role, as well as the lack of authority to influence outcomes. The threat of personal litigation is also a major stressor for CISOs.

Cause #4: The Next Big Challenge

Not all CISO churn is caused by the difficulty of the job. Some CISOs simply outgrow their existing positions and seek new challenges in different organizations. They are motivated by career progression, larger budgets, bigger security teams, greater responsibility, more authority, and higher remuneration. These CISOs thrive on challenges and are always looking for the next opportunity to make an impact.

Effect of CISO Churn

CISO churn poses a hidden cybersecurity threat as major security initiatives may be left incomplete, leading to cracks or gaps in security. New CISOs may have different beliefs on how to implement security, leading to inconsistency and confusion. Additionally, new CISOs need time to understand the business before they can effectively secure it. The average tenure for a CISO is often quoted as 18 months, which leaves little time for them to implement serious security controls.

Solution

The solution to the CISO Carousel lies in better communication. Boards must learn to value and support their CISOs, providing them with the resources and authority they need to implement effective security controls. Boards need to have a better understanding of cybersecurity, while CISOs must learn to communicate security requirements in a business-relevant language. Only when both work in lockstep will the CISO churn be slowed, and the full benefit of stable security leadership be achieved.

Conclusion

The high turnover rate of CISOs poses a significant threat to enterprise cybersecurity. It is crucial for organizations to address the causes of churn, such as the scapegoat effect, lack of board support, stress and burnout, and the need for new challenges. By fostering better communication and support, organizations can ensure stability in their cybersecurity leadership and effectively protect their assets and data.