How to not get fired as CISO

Be a strategist, adviser, guardian, and technologist

Lately I have seen a number of new CISOs let go after one year on the job. I became intrigued as to why we are seeing such a high failure rate for new CISOs.

I started talking to other CISOs and recruiters that specialize with cybersecurity recruiting and we started to see a pattern. The CISOs were heavy with technology experience, did not align themselves with the business, were not prepared for the C-Suite, and were being recruited by other companies for better opportunity.

To back this claim, a recent ThreatTrack survey stated that 75 percent of the executives in the C-Suite do not think the CISO should have a seat at the table. In addition, 28 percent of executives say a decision by their CISO has hurt their business’ bottom line, according to the 203 C-Level executives that were surveyed.

According to Al Lerberg, president of Cyber Security Recruiters, “the CISO must be perceived as a professional who adds value and solves problems, not a person who just says "No."

This can be a difficult transition for a security professional who doesn't have a lot of business savvy or business experience. In this role, it is critical to build relationships at all levels of the organization so they are seen as someone who can help the organization accomplish business objectives, not stand in the way of progress or results.

This can be a difficult tight rope to walk for CISOs and those who can do it really well, will always be in high demand.”

Lerberg makes some great points as it aligns with a new one-day workshop that was launched by Deloitte Cyber Risk Services called the CISO Transition Lab, which was created to help CISOs become successful in their roles. As part of the program, Deloitte did an excellent job highlighting the “Four faces of the Chief Information Security Officer” that define the functions of a CISO:

  • Strategist--Drive business and cyber risk strategy alignment, innovate and investigate transformational change to manage risk through valued investments
  • Adviser—Integrate with the business to educate, advise and influence activities with cyber risk implications
  • Guardian—Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
  • Technologist—Assess and implement security technologies and standards to build organizational capabilities

Deloitte’s lab findings indicated that on average, CISOs today spend 77 percent of their time as “Technologists” and “Guardians” on technical aspects of their positions, and that they would like to reduce this time investment to 35 percent. This demonstrates a recognizable shift in Deloitte’s desire to place greater emphasis on the “Strategist” and “Adviser” functions. The common denominator is the CISO needs to align with the business to have a long tenure with a company. If they don’t, they will be joining the ranks of many CISOs shown the door with a one year tenure blemish on their resume. Every hiring manager and recruiter will want to know if the CISO was terminated for poor performance, did not align with the business, or didn’t know how to survive the C-Suite.

The aforementioned four CISO categories are well characterized to help balance out a CISO that is typically technology heavy and lacking business experience. Recently, I was speaking with a CISO for a financial services company about how they created a new consulting function within the CISO group to better support the business. The CISO created a consulting arm within their group to strategically support the company as a whole with trusted advisers and have better business partnerships. Coincidentally, this CISO has been in his role for 12 years and he is leveraging the four pillars of success below:

  1. Find a mentor—don’t try to figure everything out on your own. A great place to look is your LinkedIn contacts and find experienced CISOs that have been in their position for at least three years. These individuals tend to have solid executive experience and can be a great resource to help you be successful with your own career.
  2. Learn your business and how every department works. Everyone you work with will respect you for taking the time to understand their business, the challenges they are faced with and you will find opportunities to help them with common agendas that may be aligned with your agenda. It is a great opportunity to build your brand within your own company and be humble when you meet with the other functional executives. Be likeable. This will pay dividends when you need a favor to push your cybersecurity agenda.
  3. Spend more time with your CIO and “walk a mile” in their shoes. You will start to see why you mostly report into the CIO function and how your decisions have a dramatic impact on the company and the CIO’s agenda. Learn to be an ally with the CIO. I also recommend stop trying to report into the CEO of the company because you have an issue with the reporting structure with the current CIO reporting structure. Get over it, and work with your CIO. This is your most important relationship you will have within your company as the CIO can help your career or break your career within the company. Don’t underestimate the power of the CIO, even if you do report into the CEO.
  4. Take the time to read and learn from a variety of business books. You are now swimming with sharks and you need to bring your political “A” game to the table if you expect to be taken seriously and want to survive.
  5. Be careful not to “overplay your hand” with a large cybersecurity agenda that creates “cybersecurity exhaustion” that makes the impression your job is to tell everybody else what they are doing wrong in their own jobs. You don’t want to look like the IRS department within your company, because nobody likes working with the IRS.
  6. Be the trusted adviser within your company. Your job is to help others, not tell them what they are doing wrong or what they should be doing.
  7. Ask for help. Deloitte & Touche, LLP just developed the CISO Transition Lab to help accelerate a CISO’s performance. This is a program that is designed to help you thrive within your business. Also, many universities offer short summer executive programs ranging from one week to a couple months that can expand your current business knowledge of how a business functions. You have to find a way to function within your business and not be the techno geek that wants to protect everything within the company.


Join the CSO newsletter!

Error: Please check your email address.

Tags Metrics and BudgetsLeadership and Managementback to schoolIT careersstrategydata protectionCSO Australia

More about DeloitteDeloitte & ToucheIntegrateIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Todd Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place