Why CISO turnover is good
The change has to come from the top
Through all my travel, I’ve had time to catch up on random readings across the web. One post caught my eye: a LinkedIn post linking to an article about the “great CISO resignation.” The summary is that there are more expectations but not enough authority and collaboration to achieve those expectations, leading to burnout.
Flawed root cause analysis
In my opinion, this article does a poor job of analyzing why CISOs are ineffective or becoming burnt out. It cited studies attributing the blame to unfair expectations and a lack of CEO/executive resources. In fact, the article also cites shrinking budgets and staff. Finally, it cites that the role has “too much time spent firefighting rather than focusing on strategic issues.” Too many new frameworks and threat vectors are popping up, and it’s hard to keep people’s skills up to date.
These are reasons why CISOs are stressed and might be resigning. However, it fails to ask one key question: are we hiring the right people to be CISOs?
Changing risk concentration in changing times
Historically, CISOs have been operational risk managers. Many of them have had careers as consultants, IT specialists, financial specialists, or even lawyers. To be fair, in the past, much of the cybersecurity risk had organizational and operational aspects to it. In fact, many of the compliance certifications, such as SOC2, reflect this. They require background checks, performance reports, physical security, etc. So, it made sense to have CISOs who come from the backgrounds listed above.
The roots should come as no surprise because many of the common compliance standards weren’t developed in the age of the internet and have failed to keep up. For example, SOC2 had roots in the 1970s as part of financial controls (SAS 70) and evolved into controls and standards around information security. In fact, it’s telling that SOC2 still needs to be done by certified public accountants (CPAs). Yes, those are the same professionals that can do taxes. As a result, it made sense to have CISOs with backgrounds that had experience with audits. (It’s also no surprise that most security tools talk about auditing or have a strong auditing feel!)
However, as I’ve described in the past, compliance doesn’t result in a strong security posture. I’m sure there was a time when compliance and security were closer together, but that was probably during a time when IT and technology played only auxiliary roles in a business. Now, technology is a core part of any business, and COVID only furthered that. It’s hard to find a business that doesn’t heavily rely on technology. One way to think about this is how well businesses could operate if their internet was disrupted. I can’t think of one business segment that could continue operating. Technology and software are everywhere and essential to every business. The takeaway here is that most cybersecurity risks that CISOs now have to manage are related to technology and software.
Finding an effective cybersecurity leader
This shift in cybersecurity from operational to technology risk requires new leadership skill sets. That’s why we are seeing shifts in the reporting line of the CISO to ensure they are collaborating and/or aligning with the right objectives in the organization. However, the fallacy in current CISO hiring is that past experiences in this role will result in future effectiveness. The issue is that the role has fundamentally changed. Although it is possible for some people to grow, it is more the exception rather than the rule, especially if CISOs are complaining that their team and they are having trouble keeping up with various frameworks. Trouble keeping up is a fair excuse, but it’s not one that companies would accept from their engineering leaders and teams. So, why do we accept this from our cybersecurity leaders?
For those of you who follow my newsletter, I’ve been vocal about the importance of a technical security leader and the need for more engineering backgrounds in security. These are especially important for businesses where technology is essential to its success. With that said, an effective CISO should have hands-on experience with the risks that they have to manage, which in this case are technology risks.
As a result, CEOs and boards should be advocating for CISOs that should have strong engineering backgrounds. They have been hands-on with the technology, and they understand how these organizations work, thus making it easier for them to collaborate and manage risk. Moreover, it will also make hiring much easier. Engineers have a tendency to gravitate toward strong engineering leaders, and if cybersecurity needs more software engineers, we need more strong engineering leaders.
Moreover, engineering leaders tend to have more experience doing strategy and firefighting at the same time. Similarly, engineers will have an easier time learning more security frameworks because they likely have experience operating under these frameworks or have better intuition on how to integrate security more smoothly.
(I’ll talk in a separate article about why I believe all engineering leaders, especially cybersecurity ones, should be more hands-on and resist the urge to empire-build.)
So what now?
I believe that this CISO resignation is actually positive. It paves the way for a new generation of cybersecurity leaders. CEOs and boards should keep applying the same scrutiny to weed out ineffective and/or outdated CISOs. The negative sentiment painted by the article makes it seem that these expectations are unintentional. However, it never considers the alternative: the CEO intentionally set these expectations for the CISO because it’s necessary for the role’s success and for the survival of the business. The right leader will find a path to success.
Threats, risks, and businesses have changed, so it’s unfair to blame the CEO for changing the expectations of the role. They are just reacting to the changes. As a security community, we have to adapt also. Over the past decade, budgets, authority, and tool quality have substantially improved, but somehow, cybersecurity issues don’t seem to be improving. It’s possible we have the wrong leaders driving the wrong solutions.
Takeaway/Afterword
Changing leader profiles is nothing new. We’ve seen this happen over time and over multiple businesses. For example, the idea of a CEO with an engineering background didn’t exist until the last two decades and has led to successful businesses.
One issue that I haven’t addressed is the makeup of a security organization. I’ve discussed the need for a more technology/engineering-focused CISO, and it’s possible this CISO will report up the engineering chain. However, I’m not advocating for the elimination of traditional security operations, i.e. the type of organization that most risk/operations-based CISOs build. This is still important, and it could be a separate organization with a separate reporting chain. This really depends on the organization and the experience of the CISO being hired. However, it’s clear from this article that CEOs believe and expect a security organization to have more engineering focus.