CISO Challenges: Burnouts and Culture Mismatch

High Turnover of CISOs

CISO tenure is shockingly low. The average tenure for a CISO in a large organization is anywhere between 18-26 months. Compare this with the average tenure for a CIO, at 56 months, and you see we have a problem.

What’s driving this turnover?

If we’re being optimistic, we can say that the role of the CISO is maturing, the requirement for talent is high, and talented individuals are being continually headhunted and therefore moving around organizations. If we’re being less optimistic, as cybersecurity becomes more of a strategic business problem, and cybercrime is on the rise, CISOs face mounting pressure (especially when cybersecurity budgets remain tight). Should the business suffer a data breach, the CISO becomes the scapegoat.

CISOs also tend to be overworked. Threats evolve rapidly and organizational infrastructure changes, which can make maintaining a compliant and secure environment pretty tricky. Add to this, the fact that most CISOs struggle to justify spending on solutions to the rest of the board, and you have a pretty stressful working life. CISO burnout is real, and the problem will only fix itself when CISOs learn how to win over the board on cybersecurity strategy.

How to Avoid a Culture Mismatch

It’s really important that before CISOs join an organization, they ask themselves some really fundamental questions. If you’re a CISO, you need to be asking yourself, “what sort of an environment do I want to work in?”

It’s also important to find out where the function of information security sits within the organization. Is it reporting to a CTO or is it reporting directly to the CEO? Both routes require very different approaches when presenting security findings.

How mature is the organization? Have they got a big budget to spend or are you going to be spending your whole time trying to justify why you need to spend money on that solution?
Knowing the answers to these questions will help to avoid situations where the CISO feels that they are not able to do their job effectively, and may reduce turnover.

Why Soft Skills Are Important

Being a CISO is a very human role. You’re not going to find yourself sitting behind a computer screen all day looking at data. You need to be out there, engaging with your colleagues in different departments, and helping to implement the security culture that you want.

Being able to speak the right language is critical. The CISO is a relatively new C-Suite position. The rest of the board is used to talking business language. If a CISO tries to go down the technical route, more often than not they will be met with resistance. Know your audience.

Similarly, when speaking with general employees, it’s important to focus on the why. Why are you asking them to not write down their password on a sticky note and stick it to their monitor? Why are you asking them not to click on that dodgy-looking link? If you can communicate the why, and the potential dangers associated with certain actions, adoption of best practices will be faster.

Being a CISO is hard. No two ways about it. But as the cybersecurity space matures, the role will be more important than ever before. Being able to link departments together with a common thread, speak the language of the board, and place yourself in the right environment, will help to ensure CISO success.