CISOs, like any other senior executive, face risks every day. Because cyber security leaders are accountable for safeguarding some of their organizations’ most valuable assets, the stakes are high. A CISO who inadequately prepares for any one of those risks or manages them badly will probably be fired, as has been the case in recent high-profile incidents.
The following are actions — or inactions — that clearly indicate failures that are fireable offenses for CISOs.
1. Failure to prevent a data breach with significant financial or reputational damage
As the recent Equifax and Yahoo breaches show, companies can suffer severe damage to their reputations from such incidents. When a monumental security breach leads to financial losses and a high-level of negative publicity, it’s difficult for CISOs not to take the fall.
A breach will most likely result in a firing if the enterprise can prove that the CISO was remiss in installing the latest patches or failed to update the organization’s data environment to deal with the latest threats by installing the appropriate firewalls in the data center, at remote offices, or at the network perimeter, says Laura DiDio, principal analyst at Information Technology Intelligence Consulting (ITIC).
“Sometimes firing a CISO in this scenario is purely for optics; a company has to show the public they are taking action,” says Sean Curran, senior director and national leader of consulting firm West Monroe Partners' cyber security practice. “Other times, a CISO was actually negligent and unprepared. They did not have a solid plan to respond to and recover from incidents, a plan that would have limited the impact. We find that too often the focus is on protection only.”
A data breach “is typically the most publicized firing because a data breach makes the news and can affect so many people,” says Zach Burns, executive recruiter at security search firm Stratus Search. “In an organization, a CISO should take responsibility for every person that he or she hires. Therefore, termination can take effect even if the data breach was not directly attributable to the CISO.”
2. Taking on too much responsibility for risk and not communicating the risk to others
CISOs who assume all the responsibility for the organization regarding decisions on risk put their jobs at risk. In this case the CISO defines what the company will and will not tolerate from a security, risk and compliance standpoint—rather than being the facilitator of communication, Curran says.
“Too many security people think they shoulder the burden for the organization and that the ‘technical’ knowledge is beyond the business,” Curran says. “As a result, they do not communicate the risk at all, effectively stifling management’s ability to decide how much investment they should make to address the risk.”
A CISO “must be able to articulate risk and security solutions to a board or senior executives who are not familiar with security, so they can make informed decisions on risk tolerance,” Curran says.” By doing this, the CISO takes the burden of being solely responsible for any security gaps off their back.”
The CISO must work across all departments to have an effective security strategy, Burns says. “It is critical that this person can communicate effectively with senior leadership and other members of the organization. Failure to communicate effectively across the organization can result in poor performance of not only the team members under the CISO, but also adjacent departments.”
3. Failure to achieve or maintain compliance
Based on the nature of the company and the data that needs protecting, CISOs must show due diligence in regard to compliance and adherence to state and federal laws. “There must be reporting systems in place where the CISO is able to confirm all systems are property updated and protected,” says Robert Siciliano, cyber security expert with Hotspot Shield.
Many companies must comply with regulatory obligations to even bid on certain contracts or provide goods or services to their customers. “If they do not get certified, there is a significant monetary impact to the company’s bottom line,” Curran says.
If they do not maintain compliance and an internal or external auditor finds a large gap, that can lead to unplanned and unbudgeted remediation costs that force the company to deal with last year’s issues rather than improving on the future. “This spiral then grows harder to escape, unless [CISOs] are change agents, which is rarely the case or they wouldn’t be in this position,” Curran says.
Compliance, particularly in the digital age where networks are increasingly interconnected and businesses are sharing data with their customers, suppliers or business partners “is a very big deal,” DiDio says. “Compliance regulations are becoming ever more stringent, complex and numerous with each passing month.”
Regulations vary according to industry, state, country and other factors, and it is typically the job of the CISO and other security and IT leaders to work with in-house attorneys or external legal experts to ensure that their organizations comply with regulatory compliance laws, DiDio says.
4. Unprofessional conduct
As with any other type of job role, firing could result from unprofessional conduct by the CISO. It could also happen if an employee who works directly for the CISO acts unprofessionally. “If the CISO fails to correct and address inappropriate behavior, such as sexual harassment, this can lead to the termination of the CISO,” Burns says.
Unprofessional behavior can include actions such as inappropriate tweeting or questionable opinions expressed on social media. “The CISO is a highly visible member of the organization and should be careful when posting opinions publicly,” Burns says. “Any controversial opinions expressed by the CISO can reflect poorly on the company and can result in termination.”
5. Failure to deliver reliability and uptime
“Time is money,” DiDio says. “Systems, networks and connectivity devices are subject to failure. If the downtime persists for any significant length of time, it can be expensive in terms of monetary losses. It can disrupt operations, decrease worker productivity and negatively impact the organization’s business partners, customers and suppliers.
“A security outage of any significant duration can also be a PR nightmare and damage the company’s reputation, causing lost business,” DiDio says. “Reliability and uptime go hand in hand with a comprehensive, detailed backup and disaster recovery plan that also includes an internal operational level agreement that designates a chain of command in the event of any type of service disruption.”
Every organization should have a disaster recovery plan that includes an itemized list of who to contact at vendor organizations, cloud and third-party service providers, DiDio says. “The CISO should also know what the company’s contracts stipulate as the response time from vendors, cloud, and third-party service providers to respond to and thwart security incidents and track down the hackers,” she says.