What is Wrong with the CISO?

What is wrong with CISOs?  They seem more stressed and angry than ever.  And the drinking!  I missed RSA last year, but the stories and social posts are soaked in alcohol.

I am not the only one noticing all these stressed out CISOs. Here are a few recent stories:

• CISOs Have the Toughest Job in the World
• CISOs Struggle to Cope with Mounting Job Stress 
• Average tenure of a CISO is just 26 months due to high stress and burnout (which cites the same report as the first item)
• I Was A CISO for Six Years — Here’s Why Burnout Is Such A Problem 

I spent time lurking in CISO hang outs recently.  I heard a lot of stories that all centered around a common adjective: frustration.  CISOs are under tremendous pressure to keep their organizations safe.  There is too much to do, too little time, and too few resources.  Moreover, the complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult.

However, frustration is only part of the story.  There is another adjective I heard frequently: hopeless. One CISO summed it up succinctly: “they blame me for everything that goes wrong.”

Yeah, I know how that feels.

Maybe this is why many CISOs get the title Chief No Officer slapped on them?  Faced with hopeless odds of success, it is easier to say no than to fight to make things work.  I used to think CISO that did this were weak leaders.  However, the more I hear them talk, the more I think they are stuck in a classic Kobayashi Maru (a no-win scenario). No matter what they do, they get blamed.

It works something like this:

1. Company hires a new CISO
2. The expectations are ludicrous:
   • Executives and board members expect the CISO to protect the business with absolute precision and perfection.
   • Other departments expect the CISO to implement security without disrupting any existing business functions.
   • Third party vendors expect the company to align with several intricate compliance regimens.
3. The CISO implements a plan.  There are two common outcomes:

The CISO implements effective security controls: 

• • • The controls fail, company gets hacked  > CISO blamed and shamed
    • The controls work, but it causes other systems to fail > CISO blamed and shamed
    • They work, security becomes routine and dull. Executives wonder why the company spends so much on security > CISO blamed and shamed

The CISO is unsuccessful, security languishes: 

• • • Company hacked > CISO blamed and shamed
    • Company somehow does not get hacked, executives wonder why they have a CISO and no security controls > CISO blamed and shamed
    • Company fails a compliance audit > CISO blamed and shamed

5. The CISO quits or is fired
6. GOTO 1

There is no way to win.  Mistakes in security (and technology as a whole) are common.  Since many CISOs rose through the ranks from technical roles not business schools or investment firms, they usually lack the skills to navigate the petty politics of organizations.

When people are trapped in situations where they feel they cannot succeed, they become bitter, resentful, and eventually give up.  Why work hard when you will be blamed for every problem, whether you caused it or not.  I once witnessed a company put their entire environment at risk, because a vice-president wanted to spite the security team for using a different cloud service provider.  Eventually, the CISO tired of these antics and left the company.

It is unsurprising then that many CISOs feel frustrated and are quitting. With that in mind here are some ideas for CISOs stuck in a frustrating job:

• Adapt Communications: Each person you interact with has a particular communication style. Take a moment to consider how people will listen to you more effectively.  Some people prefer to get right to the data, while others may require a gentler touch. Remember, you are responsible for being heard.  It is not the listener’s responsibility to understand you.
• Stay Strategic: Play the long game.  Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.
• Snuff-out the Gaslighting: One-way bad leaders distract CISOs is with irrelevant questions and faulty logic.  For example, they may use anecdotal reasoning, where they recite some situation from their past an expect you to replicate that when you know it will not work.  Listen, show respect, placate where necessary, but stick with your plan.
• Arm Yourself with Data: When the blame starts flying, have data on your side.  Data might not save you, but it is a powerful weapon against the forces of idiocy.  Make sure goals, plans, and commitments are documented.
• Stay Off the Range: Security is an easy target for developers, IT, finance, HR…everybody who needs a scapegoat.  Do not allow your team to be unprepared.  Be on top of your goals, metrics, and plans.
• Hold Vendors and Service Providers Accountable: Do not allow the companies providing you products or services to skip out on their commitments.  If a vendor promises you something, get it in writing and require them to deliver.  This is how you can show strength, resolve, and discipline.  Be firm, do not be a jerk.
• Battle the Bullies: You may have board members or executives who think they are security geniuses because they have money and authority.  These people are often deeply insecure bullies.  Keep your discussions with these people focused on threats.  Talk about the competition, ransomware, hacker groups, and all the catastrophes that will unfold if security is sidelined.  Bullies innately understand threat.
• See and Sell a Brighter Future: It is difficult to scapegoat a person who speaks of a brighter, better, and more prosperous future. While you may need to pound the bullies on the board with fear, spread optimism, vision, and hope elsewhere.  Optimism is attractive.

While I cannot fault anybody for giving up when things feel hopeless, you must take something from each experience that helps you in the future.  You might not make a difference in every place you work, but every place you work, can make a difference for you.

However, I would urge all CISOs to hang in there.  With persistence and perseverance, you can make a difference.  Lastly, make sure you mentor and train others along the way.  Leave your employer in a better place then when you got there.  The people you mentor will support you.