Oftentimes there is a big gap between what a person imagines a CISO’s position to be, and what the organization expects it to be. This kind of discrepancy leads to frustration that can build into burnout.
There is this veneer that makes the CISO position appealing and enticing. When you get into the details of the day-to-day responsibilities and how they report, and how seriously – or not seriously – their input is regarded, then the reality is less glossy. With such a big push right now for cybersecurity to be in the boardroom, and for CISOs to be part of the business conversation, it is becoming evident that not all CISOs have the skillsets that organizations want.
Aligning expectations with reality is key.
If you don’t have a good grasp of what your role is, and you’re giving senior management information that’s tactical – like how many endpoints we have with antivirus – rather than strategic – how can I help the business — then you lose credibility very quickly.
A CISO has to look in the mirror and ask, am I really ready to do this job? Do I understand what the position requires? There is a lot of talk about putting CISOs on boards, and many aspire to that. They envision a nice check, and an opportunity to order the company around on security matters. But there is nothing further from the truth. Being on a board comes with fiduciary consequences that can get you sued or land you in jail if something detrimental happens.
And as for snapping fingers and giving orders, that’s not how it works, either. A lot of CISOs are not prepared for all the pushback they are going to get, especially if they do not have the business skillsets and acumen they need to get the attention of senior leaders and the board.
And then frustration starts building up. They feel belittled and not taken seriously. They end up treading water instead of gaining in stature.
That is why it is important to understand what your position entails and the organization’s expectations of your role.
CISOs with the right experience and skillsets will never deluge a CEO with all sorts of terms and information that the CEO will not understand. They will not put security considerations before business goals. If an organization wants to do something that makes the security chief uncomfortable, the answer is not to dismiss it, but to face it and try to make it less risky and more secure.
A successful CISO will build alliances, not walls, and will be part of the team. As difficult as it sounds, you need to understand that there are certain things that the organization will decide even with risks involved, because they have a business goal that overrides those risks. Incurring a $1 million compliance fine may be worth a $40 million profit.
Being a CISO requires understanding beyond cybersecurity. You need to understand business if you want to be successful in the organization. Although we are subject matter experts, we must be deferential and recognize that we are not the reason the business exists.
I think the industry would do well by itself by setting up a third-party vetting organization to standardize the skillsets necessary for the job, like engineers, doctors and lawyers have. Something like the Professional Engineers exam, which would set a consistent level of skills for CISOs. That way, people go into the job with a specific skill, up-to-date know-how of business practices, and what they need to know to succeed. This will mitigate the frustrations on the job that lead to burnout and make all CISOs proficient and efficient.