Most CISOs last 13 months in their job, or so I was told a decade ago. I’ve since seen as high as 18 months and as low as 11 months, but regardless of the actual length of time, I think we can all agree that any career with a short lifespan on achieving the leadership position of an entire department is extremely wasteful! The reason is simple: we aren’t aligned with the business. What it takes to get to the CISO seat is not what’s needed when sitting in it.
I did a presentation at DEEP, my company’s conference titled “How to Keep Your Job for More Than 13 Months’ focused on my own experiences and on discussions I had with several of my peers. For transparency, as I’m sure you can tell from LinkedIn, I have held four hybrid CISO/CSO positions and they lasted seven years, eight months, twenty-two months and now 29 months. My average tenure is roughly 35 months or just shy of 3 years. In my case, I chose to move on. However, the implication in most of these cases is that moving on is involuntary, and that’s wasteful too.
I’m also asked a lot in discussions on attracting and retaining talent how new people in the industry should get to where I am. The answer is “don’t do what I did.” Why? Because security was in a nascent and growing phase without defined career paths when I was breaking into the industry. Most of us didn’t, like Babe Ruth, point to the stands and then hit the ball there. Our careers look more like Brownian motion than perfect execution of a plan. This begs the question of what it will take to produce the longer-lived, future proof Next Generation CISO? If we’re honest here, it’s actually about making a CISO that can last more than 13 months for this generation.
Some people may disagree with me here, but I believe the fundamental problem behind this waste and the biggest issue in security is not how to stop bad guys, how to manage controls or hiring the right people. The biggest problem is a lack of alignment with the business. This is the cause of all that waste. When the CISO gets their new, vaunted position, it’s in an appendix to the business and isn’t seen as a core function by the vast majority of companies.
20 years ago, this was the CIO’s problem. Today, it’s our problem. Security is perceived as the other and suffers for it. We are hobbyists who talk in techno-jargon and don’t understand the core business that pays our bills. We always want a new toy in the same way R&D wants more developers and Marketing wants more program dollars. But our toys are driven by FUD (fear, uncertainty, doubt) and vendors wining and dining. What Boards, CEOs and CFOs don’t understand is when it will end or if the risk is really being managed.
So what does a young CISO have to do and focus on to be successful in their job? How can they future-proof and uplift the company while making sure that they thrive to keep doing it? Here’s my take on what any young or aspiring CISO can and should do to succeed:
- Always use the language of business. I sum this up in 6 phrases or ideas: (1) revenue, (2) cost/margin, (3) risk, (4) customer satisfaction, (5) employee efficiency and (6) corporate strategy. That’s it. No talk of viruses, firewalls, BGP, logs, PCAP or anything like that unless it’s due to an incident or specific risk.
- Don’t jump on everything security as soon as it appears. Let others get ownership. You have nothing to prove. Everyone knows you are the smartest person in security, but also become known for talking business whenever possible.
- Break bread often and walk to see people. Sneakerware is what you should invest in. Slow down and pursue conversations. Face-to-face. Trust requires reliability, credibility, intimacy and alignment with one another. The real problems happen because of lack of intimacy and alignment, but reliability and credibility are usually to blame: “They don’t know what they are doing” or “they aren’t capable of doing it.” That’s what people will say about you rather than the real reasons of “I don’t know them” or “we aren’t pursuing the same outcome.” Focus on lateral relationships as job #1 because you will satisfy your boss and your people will satisfy you.
- Align with peers and be prepared to give a business presentation at any time. Have a few slides available and share KPIs aggressively. Then roll up the sleeves and get down and dirty. Take the example of vulnerability management. If you turn up and ask for 40 patches, the CIO hears “I want to cause breakage, slam SLAs, increase call volume and call time.” In negotiations, you fight for 10 and get them. A month later you ask for 60 because there were 30 unpatched and 30 new ones, but the CIO says “you can have 5 because nothing bad happened with the 30 unpatched, and you ruined my KPIs.” Share KPIs: if the CIO takes a risk reduction KPI and you take their SLA and call time KPIs, you are aligned.
- Be the Chief Risk-Storytelling Officer. Prepare a strategy, a plan and KPIs and give them to the most technical and involved-in-the-numbers board member in a 1:1. Put them in an appendix, distribute it and come and present a story. Anyone who wants to dive in, welcome it and be prepared to discuss it (see the last point). But make this about the security stories for most of the audience and have the depth to back it up.
In addition to that, I would recommend some personal and inward focusing as well, focused on:
- Recruiting and Retention: Diversity isn’t just good politics and good for the community. Selfishly, it gives you the best possible pool of resources, checks and balances and strength in the department. Look for people with more than cyber skills that have the right attitude, the right aptitude, no technophobia, a strong work ethic and curiosity. The best SOC people I have ever hired are a mathematician, musician and history major.
- Mentorship: I have mentors and I mentor. It’s important to grow, seeking people with strengths you don’t have. It’s also crucial to pay it forward.
- Networking: Get to know other CISOs in your industry (unless that’s illegal for anti-trust reasons), in your region and other C-level executives. Don’t stop there, though, go to Universities, teach a course, talk at the local Rotary Club and so on.
- Care about the wider cybersecurity policy and law landscape: If we aren’t aligned in the business, it’s even worse in local, state, federal (for any country) and international arenas. Cybersecurity needs to be in the public debate and helping form policy and law and not leaving this to neophytes and politicians.
To paraphrase Plato, Know Thyself. Spend time understanding how you got here, what people around you see in you, how you lead, your strengths and weaknesses. Always be learning and share your weaknesses and failures more than your successes and strengths. These are at the heart of leadership. To paraphrase Lao Tzu, Mastering others is strength; Mastering yourself is true power.
Finally, My good friend Gary Hayslip has done a great job summarizing his own career and guidance too, which I highly recommend for aspiring CISOs or anyone in the security department with designs of doing well, CISO-or-not.