Is There a Solution for High CISO Turnover?

Introduction 

Every company, of any size, relies on their Chief Information Security Officer. It’s a vital role: They manage, monitor and control the cybersecurity of the entire organization. As the saying goes, the buck stops with them. 

With more businesses, the general public and the federal government turning a greater focus toward strengthening their cybersecurity infrastructure, you might reflect on your own and professional colleagues’ experiences with CISOs and wonder: Why is there so much turnover for such an important position? Understanding the reasons behind CISOs leaving can help your business acquire and retain the top talent it needs to stay most secure. 

The Reality of a CISO’s Role 

As the go-to cybersecurity expert, the CISO doesn’t just make decisions — they are also the role model that the rest of the organization looks up to for protocol and expectations. With great power, as we know, comes great responsibility. 

Photo by Shopify Partners from Burst

Let’s not confuse this position, however, with a closely related role: the CIO. Chief Information Officers are more involved in the planning and development of your security posture, while CISOs are entrusted with the maintenance, compliance and defense of company data. The positions work together to create a strong cyber-defense structure from start to finish. 

How is it, then, that CISOs have a greater rate of turnover than CIOs? 

Responsibility and Accountability 

Data breaches are a rising threat to companies like yours. Nearly half of all cyber-attacks target small businesses, and yet only 14% of them are equipped with the necessary tools to defend themselves

Imagine that a hacker breached your network right now. As soon as you kick out the threat, patch vulnerabilities and notify customers, what’s your top priority? Most likely, you’ll seek to repair any damage incurred to your reputation.

A lot of the time, particularly if the breach is egregious enough to warrant action against the one who made the error, blame for it will lie with the one at the top of the security chain. Although everyone in an organization has the responsibility to mind their security awareness training, outsiders can most easily conceptualize the fault of the overseeing individual. Whether to regain reputation or for other reasons, the CISO is often made to leave as a way to restore trust in the company. They often step down on their own after a breach for a quieter exit, if they fear their position is in danger. 

Of course, CISOs aren’t the only ones at fault in (most) security incidents. In 2018, cyber-attacks resulted in the exit of 23% of executives, with US companies more likely to see the departure of high-level officers after a breach. Employees at lower levels who may have had a hand in the security incident also face consequences, although it’s less discussed in reports or by word-of-mouth after a publicized cyberattack. 

Why Else Do CISOs Leave? 

The reason behind the high turnover rates for CISOs may not be so dramatic. The last straw can range from creative differences to a poor company culture, or simply one that is not a personal fit. A better job offer may come along; and interpersonal conflicts with other partners, or professional ones about intended growth and direction, may drive CISOs out of an otherwise satisfying job. 

Team building exercises build bonds between coworkers that make office life much more pleasurable.  Opening accessible lines of communication to bring up issues can also create a comfortable work environment for everyone. When people feel comfortable reaching out to these resources, conflict doesn’t build but bridges do. Happy employees perform better and project better customer service, too. 

Sometimes, tensions simply boil over for two people who really just need time to unwind. Creating and enforcing an appropriate work-life balance for employees — yes, even you executives need a break! — and distributing tasks to competent coworkers are both great ways to prevent burnout. R&R isn’t just good for the individual, it’s balm for the whole team. 

Photo by Shopify Partners from Burst

How to Avoid Common Mistakes 

While we can’t always avoid work stress or cyber-threats, we can mitigate the damages of both with communication and a game plan. Ideally, strong defense mechanisms and hiring competent people into the position should fend off the majority of cyber-attacks, but in this day and age it’s all but inevitable that your organization or one of your clients’ businesses will experience a cyberattack. What really matters is how you react when a security incident does occur. 

  • Transparency is key. The only thing worse than finding out your credentials have been compromised is finding out that the ones in charge of your PII covered up an exposure, possibly years after the fact. 
  • Take accountability where it’s due. Clients have more respect for MSSPs that accept where they went wrong and pledge to fix it, than those who dodge responsibility and thus can’t be trusted to make the right decisions in the future. 
  • Respond swiftly and appropriately to cyber incidents. Timing is everything and demonstrates that you’re taking the safety of clients’ sensitive data seriously. 
  • Prepare for the worst. Are you responding appropriately to potential threats and doing regular monitoring, even when all seems quiet? Have you gotten up to date on your compliances? Do you regularly offer security awareness training? All of this determines whether you are ready and able to protect confidential data when the time comes. 
  • Upgrade and update clients’ systems ASAP. Bad actors are always on the lookout for the most cutting-edge tricks and technologies to dupe you into handing over your information, or hacking into your system directly. Thus it’s important to upgrade clients to newer soft- and hardware as soon as they become available, so as to best combat these modern threats. 

Of course, all this preparation is only as good as its real-time execution. If there’s an extremely penetrative and publicized attack that steals all of your clients’ Social Security numbers, you could be held liable for what amounts to lack of preparation. If not legally, then through recuperative costs and the damage to your brand image for certain! 

Conclusion 

CISOs are vital to every company. Understanding the reasons behind their relatively high turnover rates, compared to others in the information security industry, is the first step toward forming and implementing productive changes that help with retaining top talent. Creating an open and collaborative work environment that prioritizes preparedness, problem-solving and accountability will attract the kinds of candidates you want in the organization. Then, retain them long-term by making positive changes in direct response to their greatest concerns. 

Understanding why CISOs leave companies so often is the first step. Ask CISOs that you know outright what they value in a work position, and stay up to date with industry news to get the scoop on what CISOs need from an organization, right from the source. It’s the best way to reduce turnover in your CISO position. 

Our PG360 security solution offers simulated phishing, a risk assessment, an instant work plan, and NIST-based policy templates with industry-leading policy management. That’s not all we can do—yet these tools are the perfect way for CISOs to make a strong security start and maintain the kind of momentum that gives hackers a hard time. We also offer employee security training that goes beyond a one-and-done approach, providing ongoing weekly assessments that continuously monitor and grade how the staff is responding to security threats. Basically, it’s our job to make a CISO’s job easier. Connect with us at the link below to find out how.

At CyberGuard360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 914-202-0227 or reach us via our contact form.

References