When to throttle yourself as a new CISO

"Cybersecurity Exhaustion" across the enterprise can get you out the door sooner than expected as a new CISO

Recently, I was speaking with a new CISO for a casino property that came into an absolute mess of an environment with cybersecurity risk that was “off the charts” and “unmanageable.” While it is very tempting to come into a new company and be the superhero to fix many of the issues right away, this may look good in the C-Suite as it defines who you are in your first 90 days.

All the indicators would show how a lot of work needs to be performed on short order and you would want to show leadership, motivation, and be known for being the person that “gets things done.” No CISO wants to be perceived as the last CISO that most likely did not work out or burned many bridges within the company.

While it may be tempting to rollout new tools, patching, programs, teams, monitoring, end-to-end encryption, etc. these would be great ideas and intentions, but may end up with the CISO getting kicked out the door within one year.

Why? When a CISO shows up, it is important to remember you will be viewed as the “IRS” or the person that will be telling everybody what they are doing wrong in their jobs. This is a harsh image of the CISO, but perception is reality.

Not many people like or enjoy working with the IRS because they know that since you are a CISO, you are there to tell everybody how they are doing everything wrong, a feeling as if you are calling everybody’s baby ugly because you are finding vulnerabilities and problems everywhere.

In addition, the CISO is another step with overall business processes for approvals across the enterprise. The CISO can be seen as the gatekeeper to making key decisions, even though we would prefer to see ourselves as business enablers and protecting the companies’ data assets. The perceptions of CISOs in general is absolutely horrible by other business executives.

If you do not throttle yourself as the CISO, it is highly likely your career within your company will be in jeopardy. It can be very misleading believing that as a CISO, you came in to perform all the duties as assigned by the executive leadership team, but failed to recognize that the rest of the company will experience “cybersecurity exhaustion.”

Cybersecurity exhaustion is very much like a hangover after a fun night of partying. For the first nine months on the job as a CISO, everyone will be pleased with your ambition, progress, and making the company more secure, but it is important to remember the party does not last forever and if you party too hard, everyone will wake up with a bad hangover. As a new CISO, it is great to have the visibility and the spotlight on you, but people will get tired of you and will seek ways to derail your efforts. While this may sound sadistic, this is the unfortunate behavior and way of life in a company. People get tired of the superstar of a party.

When we become a CISO, we all know better to operate at the speed of the company, not operate like a racehorse for which I did in my first CISO job. I will admit, I was taken by cybersecurity adrenaline to put in an insane amount of hours to do whatever it takes to protect my past employer that ended up being my demise. While I exhibited a loyalist and high work ethic, I let the adrenaline of the cybersecurity issues get the best of me as I operated faster than all of the other executives, because I wanted to protect the company. I was fearful of a cybersecurity breach on my watch and this was totally about individual pride and ego.

[ ALSO ON CSO: CISOs facing boards need better business, communication skills ]

Earlier in my career, I made this mistake myself without realizing until it was too late. For instance, I was the first CISO for a $2 billion holding company that was in dismal condition and under horrible IT leadership. I came in to be the new IT director for our business and functioned as the companies first CISO for five business units for a shared services IT model. I rebuilt the IT shop I was in charge of, kicked major butt by fixing problems and issues, turned the place around, built IT and cybersecurity programs, became compliant for SOX and PCI, improved reliability and up-time, reduced cyber risk, implemented layers of security, etc. to only be shown the door within one year.

I learned the hard way that I pushed too aggressively and people became “exhausted” with my endeavors. We all know that we have to moderate ourselves in our jobs, but with cybersecurity it is different.

CISOs have a less desirable position in a company compared to a VP of marketing for instance. The VP of marketing gets to do the fun sexy work of promoting the company and being creative and the CISO gets to be the person that is viewed as the company “police officer.” Everybody wants a police officer when they need one, but when they don’t, they want you gone. This is the life of a CISO regardless of how gregarious or likable you may be. Being a CISO is a very difficult position in a company and can be viewed as a “thankless” position.

While this advice may sound like typical “cookie cutter” leadership that is playing the “safe card,” it actually isn’t. I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions.

Bottom line, go at the pace your company would like to see; don’t tire out your company to a point where the other executives experience your “cybersecurity exhaustion.”

Happy survival in the C-Suite.

Join the CSO newsletter!

Error: Please check your email address.

Tags internet securitycyber security

More about CSOIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Todd Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts