Three essentials to thrive in a high pressure CISO role
First published in the ISACA Now blog on 27 February 2020
A recent Ponemon Institute report predicted that the role of the chief information security officer (CISO) will continue to rise in significance. This is underpinned by the growing realization by executives that just one serious security incident or data breach could derail the growth and profitability of their companies because of impact to brand and the cost to remediate, the incurring of fines and legal fees, and/or customer loss.
But as many CISOs can attest, this strategic role is not as rosy as many think – it is fraught with challenges. Corroborating this view, a 2019 report found that the average tenure of a CISO is only 18 to 24 months, citing constant stress and urgency of the job as the core push factors. In comparison, CFOs and CEOs last 6.2 and 8.4 years, respectively. What makes the role of the new CISO so formidable? Our interactions with peer CISOs have unearthed three critical challenges that make the role of the new CISO challenging.
First, the majority of CISOs are hired to salvage serious problems: clean up messes following damaging data breaches; restore dented customer trust; respond to pressure from major shareholders or the board to ramp up cyber resilience capabilities; replace a fired CISO; or to address serious regulatory compliance matters. As a result, some new CISOs are thrown into the deep end from the start. There is significant pressure for the CISO to quickly forge a new agenda and deliver results.
Second, business executives often underestimate the complexity and intensity of cyber transformation programs. To create lasting change, the CISO has to drive cultural change, select technical solutions that work and integrate seamlessly with existing architecture, navigate and survive inevitable corporate politics, build a high performance team, forge a collaborative and respectful relationship with the CIO and deliver compliance with myriad complex and incoherent data protection laws. When the CISO is hired, business executives often have a narrow view of this strategic role as well as a utopian end in sight. Predictably, once the CISO has fully understood the gravity of the mission, securing a proportionate budget is an uphill task.
Third, most CISOs hail from a solution engineering, operational or architecture background, with very minimal experience in strategy design, influencing, strategic communications and risk management. The absence of these skills often spell disaster for a new CISO, leading to early frustrations, mental fatigue or complete failure to overcome inertia and drive change.
This is not counsel of despair; these pitfalls can certainly be evaded. One tried-and-tested way to build and sustain momentum from the outset is creating a 100-day plan. So much can be done in the first 100 days, if you consider the genesis of this widely accepted concept. The 100-day period can be traced back to Napoleon Bonaparte because that's how long it took him to return from exile, reinstate himself as ruler of France and wage war against the English and Prussian armies before his final defeat at the Battle of Waterloo. So much can be achieved within 100 days, but it requires careful planning from the start. Without a clear-cut plan, however, 100 days can seem like a flash in a pan.
This 100-day period represents an essential window for new CISOs to cement their credibility with the C-suite and enlist support during the formative stages of their agenda. In our CISO Playbook series, we provide comprehensive guidance for CISOs to create their first 100-day plans, maximizing their chances of succeeding in this high pressure and rewarding role. Some of the key areas of consideration include:
- The CISO is, first and foremost, a cyber risk management executive. The CISO’s primary responsibility is to allocate scarce resources effectively and efficiently, maximizing the value of every dollar spent to reduce the corporate cyber risk profile. To achieve this, the CISO must resist the urge to rush into execution mode, and instead conduct a deep dive to understand the business value chain, digital crown jewels, customer segments, the most profitable business lines and top management priorities. The CISO must also dig deep into audit reports, penetration test results, red teaming exercises, executive tabletop exercises, third party assurance reports, data breach root cause analysis reports, risk registers and board reports to have a good grasp on the most critical cyber risk exposures.
- Second, and probably the most important, the CISO must enlist the support of strategic stakeholders from the outset. Over the last few years, the CISO role has deeply transformed. Success hinges on business acumen more than technical competence. The new CISO can ignore this reality at his or her own peril. There is no one-size-fits-all in terms of relevant stakeholders, but here are four vital executives CISOs need on their side.
- Chief Executive Officer – Gain a deep understanding into the business strategy, organizational culture, immediate and long-term priorities, planned expansions or acquisitions and the CEO’s biggest concerns and expectations. If your role reports directly to the CEO, a rarity, discuss the preferred engagement model and key attributes for success.
- Chief Information Officer – Discuss the IT strategy and how it supports corporate goals, the technical landscape (such as use of public cloud), outsourced activities and vendor governance models, project management methodology, IT governance models, technical debt, key IT staff, and engagement model with the previous CISO (what worked and what didn’t).
- Chief Financial Officer – Understand the budgeting processes and schedules, out of cycle expenditures, delegations of authority and the preference over fixed or variable costs.
- Chief Risk Officer – Determine the cyber risk profile, risk tolerances, risk management culture, frameworks, governance forums, engagement model, board reporting, key compliance obligations, cyber risk insurance and implementation of the three lines of defense.
- Once you have gained a deep insight into the organizational road map, digital strategy, existing capabilities and key risks, formulate a strategic plan that prioritizes the areas of highest risk and quick wins. Your top priorities will naturally inform the required budget and additional resources to bolster the existing team.
The CISO role will continue to evolve as regulators tighten the squeeze, consumers penalize brands for lapses in data protection and as more and more businesses digitize. The absence of best practices in cybersecurity design and leadership have compounded the pressure on emerging CISOs. That’s why we created the CISO Playbook: First 100 Days, a comprehensive guide based on our own experiences and wide interactions with our CISO peers.