Mamas Don't Let Your Babies Grow Up To Be CISOs

Once upon a time I had thoughts of being a CISO. To have the ultimate say in security for an organization. To guide it to success - secure success! - as a company leader, keeping customer data private and safe, earning my company a name for doing it right. Two decades ago when I met with the CISO I ultimately worked for for the first time I was immediately impressed. Here was an executive - a C-Level person! - who understood the stuff I was babbling about, and was focused on bringing this established company we worked for into the modern age with regard to information security (we didn't call it cybersecurity back then). It was this role model that was part of my inspiration for those aspirations.

Within about a year of that first meeting he and at least two of his top lieutenants were gone - by their choice. (I have been repeatedly assured it wasn't something I said) That was the beginning of the revolving door of CISO at that company, and in the less than 3 additional years I spent at that company I had 2 other CISOs leading the infosec charge. Per Fortify Experts, the average tenure of a CISO is still at about 24 months, while Korn Ferry suggests that the average C-Suite tenure in any one company is 59 months - CISOs are on average lasting 40% as long as their C-Suite peers.

Literally a decade later I had the opportunity to work with that same CISO again, only he wasn't a CISO any more, he was now a consultant and mentor to CISOs. His story isn't unique, in my time as a presales technical resource I was continuously surrounded by former CISOs who had given up the top-floor office to work from the airport, hotel, and customer conference room. The dirty little secret in information security then, and cybersecurity now is that CISO is a thankless grind, and your peers in the C-Suite haven't recognized your value as an equal. In fact, many CISOs have a "C-level" title, but in terms of company organization the are not actually peers to the likes of the COO and CFO, or even the CIO. The vast majority of CISOs are really VPs or Directors in terms of actual org-chart functionality.

A Brief History of a Whirlwind Role

Historians assure us that the first official CISO role was bestowed in 1995, just 30 years ago! In the intervening years the whole makeup of companies has changed. In 1995 companies had modem banks for remote workers to check their email - which, along with a marketing-based website was about all most companies had online. Their data center was onsite (in the case of one company I worked for, it was in an old oil-sump room under the factory floor, and yes, I do have a story about that for another time). Today most companies have a combination of on-premise and cloud based tech, and the average company has so many different web-facing systems that their attack surface borders on the unknowable.

During that time the Payment Card Industry (Amex, Discover, MasterCard, and Visa, essentially) came out with their compliance framework. The Healthcare Insurance Portability and Accountability Act (HIPAA), along with the follow-on HITECH rule redefined information security for the broader healthcare industry. More recently, the identification of many industries as being "critical infrastructure," and the SEC's updated reporting rules have changed the landscape as well.

But we also went from the era of the "worm" style of malware that needed to rely on floppy disks shared between computers to propagate, to online ransomware: from the era of the "hobbyist" hacker to international cybercriminal gangs and state-sponsored malicious actors.

By comparison, this would be similar to the financial industry going from a barter system to cryptocurrency in 30 years, but with businesses still not internalizing how to trade actual physical goods or services for little slips of paper with numbers on them with much focus or efficiency - just sort of assuming it all works because it seems to.

Implications of the Short History

In cybersecurity we're still using the equivalent of abacuses to do our jobs, while our corporate peers are all deciding between spreadsheet programs and HP calculators. OK, it isn't really the tools per-se, but the data we have to work from, and the patterns we know are viable. Let's use insurance as an example.

Auto insurers have well over 100 years of evidence to know everything about car crashes. How often they're likely to occur. How the area you live in impacts that likelihood. How severe a crash is likely to be. What they're going to have to shell out when and if it does happen, on average.

Life insurance companies have centuries of actuarial tables and data to work from. They know how smoking in your 20's and carrying 30lbs of spare tire are going to impact your life expectancy, because they have the data.

Now let's look at cyberinsurance. They have, well, years, maybe a decade, of useful data. Part of the reason cyberinsurance rates have skyrocketed in recent years is that the insurance companies completely underestimated the frequency and the impact of ransomware - a type of risk that, effectively, didn't exist beyond five years ago when it was primarily aimed at extorting individuals, not companies.

The point here is that other members in the C-suite have been able to build on the work that went on before them. The centuries of capitalism have informed how CEOs, COOs, and others make decisions. Sure, the Information Age has changed things, but the principles are well known, well understood, and continue to be useful guides and measuring sticks. The CISO has about 30 years to fall back on, and those years are, for all intents and purposes, so primitive and new that they don't offer the same sort of data, measurement, or guidance that sales, marketing, product development, or others can fall back on. Even here in 2024 the CISO is a pioneer, attempting to tame wilderness nobody even dreamed of just a few years before.

Not convincing? Still aspiring to be a CISO? Fine, Let's keep going.

Cybersecurity Is a Cost Center Not Directly Tied To Revenue

The vast majority of organizations in the US that are willing to hire a CISO turn out to be for-profit organizations. That means that any dollar not spent on generating revenue is considered a cost to be avoided. With extremely few exceptions, cybersecurity isn't seen as part of the company that generates revenue. It isn't responsible for closing deals or directly delivering products and services.

So how much funding do you expect to be able to get for your cybersecurity empire you'll be running as a CISO? How much influence are you expecting to wield when you need to adjust how the parts of the business that are tied to revenue behave? When you try to enforce a governance program that might impact speed to market or sales volume?

All the Liability, None of the Decision Making

If you weren't already aware, the CISO role is explicitly called out in HIPAA as being a possible target for civil and criminal penalties for failing to protect private healthcare information (PHI), including up to 10 years of imprisonment. It was one of the very first to call out the CISO by title. Since then, a variety of other laws and regulatory requirements have also called the CISO out specifically as the target for responsibility.

Beyond those specific callouts there are plenty of things that could trip up a CISO and put them in the crosshairs of liability. The former CISO of Uber was found guilty of lying to federal investigators. The CISO of SolarWinds is currently awaiting the need to defend themself against SEC accusations. And I'd hate to be the CISO at United Health Group right now, especially as a sitting US senator has formally called them unqualified and urged both the FTC and SEC to investigate - on top of the HIPAA related investigation already underway.

So if you only have a 20% chance of being truly considered a C-level member of the company, yet you're going to be called out by title in multiple federal, state, and even international laws as being liable for good cybersecurity, are you sure you still want the job? After all, recent research from Trend Micro suggests that 80% of CISOs have been told by the board that they are overstating cybersecurity risk, so there's not as much help there as you would hope for - assuming you even get to talk to the board.

Tools Built By Techies, For Techies

CISO should be an executive role, yet the tools at a CISO's disposal are for technicians. Even GRC tools generally arrive much like an ERECTOR set: you need to either know how to build everything from the ground up or you need to employ a number of specialists to do the building for you - and then the maintenance. Don't believe me? Ask around for successful Archer implementations and just see what response you get back.

Where are the tools for getting a handle on the executive level concerns of cybersecurity, instead of the technical ones? Where is the real-time visualization of risk? Where is the digest of trends? Why is the CISO's primary tool still probably an over-glorified spreadsheet?

Learning the Foreign Language of the Board

The board does seem to be more interested in cybersecurity concerns these days, but they're still not practitioners, threat hunters, firewall admins, or other security people who speak security language. While board makeup is changing, boards still don't generally include people with security backgrounds. As the CISO you're supposed to not only translate but persuade. Do you know the language of your board?

Speaking broadly, the language of the board is risk. Not cybersecurity risk, business risk. And as discussed earlier, even insurance companies haven't figured out how to quantify cybersecurity risk in order to discuss it quantitatively as a business risk. But let's look at the business risk of cybersecurity breaches. A few large scale incidents notwithstanding, companies don't go out of business due to cybersecurity incidents. So you need to have something better than "might be a threat" or "could happen" if you have a serious concern to bring to the board. (They're not likely to be impressed by number of tickets closed stats either)

You Don't Have To Take My Word For It

I know, you're realizing about now (if you haven't already checked my LinkedIn) that I've never been a CISO, so how would I know you don't want that job? Well, the good folks at IANS do a survey of CISOs every two years, and their 2024 report shows that 75% of CISOs are interested in leaving their current job, up from 67% in 2022. So go ahead, ask them.

There are some good articles with advice on what companies and CISOs can and are doing to improve the situation.

I Know What You're Thinking

Borrowing from my favorite early 80's Hawaii based fictional PI, I know what you're thinking. You're wondering why I just spent two thousand words trashing the top level leadership role in the industry I've made my career in. Well, I wrote this for three audiences:

Boards and C-Suite

If you've read this far, thank you. I hope you're thinking about the pressure your CISO peer (or subordinate) is under, and the position they find themselves in, not only because of your organization, but the impact of laws and regulation as well. Consider their input and suggestions in that light if you value them and want to keep them around. After all, that 24 month tenure isn't because they're all getting fired every two years. Their burnout impacts your business, honest.

Prospective CISO Candidates

This is a role that will chew you up and spit you out if you're not ready for it. I'm sure there are other executive jobs that are as bad, but I wanted to make sure you're going into your career with open eyes. If you make it to CISO somewhere and burn out, that's probably not on you. I promise you, there are plenty of other opportunities in cybersecurity if you do burn out on being a CISO or if you decide that isn't for you and you want to choose a different cybersecurity career path. We still need all the help we can get.

If you are ready for a CISO role, congratulations! More power to you. How can I help? We need you now more than ever.

Anyone Who Interacts With a CISO

I hope you now understand a bit more about what cybersecurity leaders are dealing with. They're not out to prevent you from getting work done. They're not out to stop progress or make you use software you don't like on a whim. They don't have ultimate power, and they need your help to be successful. Please, give them the benefit of the doubt. They could probably use it. The job isn't all conferences and denying access you know.