When a job title is not enough: why do CISOs only stay with you for 18 months?

In addition, there were line managers who had a thorough knowledge of their own area, but little else. These were often seen as narrowly focused specialists. Today, however, the business landscape looks different. The top leadership has senior level deputies who are experts in their specific fields and at the same time understand the business development strategy.

This is how the C-suite was born, including, in many organisations the position of Chief Information Security Officer (CISO).

A CISO is responsible for establishing and maintaining processes in an organisation that ensure information assets and technologies are protected and IT risks are reduced.

When CISOs are part of the board of management, their challenges fall broadly into two areas: the first – which we can call ‘lost in translation’ – is a result of the language difference between the CISO and the rest of the board; and the second lies in choosing appropriate vendors for solutions to help manage a wide range of areas. 

Technical people usually have a technological mindset; they are focused on their specialist tasks and processes. Before reaching board level they often lacked the opportunity for true business engagement, even if they had experience as IT generalists. However, the role of CISO requires a strong balance of entrepreneurial understanding, business acumen and technical knowledge.

The CISO is a relatively new role and does not yet have a professional map. As mentioned, they manage a wide range of areas: security strategy, IT risk management, threat management, identity and access management, security performance management, IT compliance management, third-party security, and security architecture.

The latest research shows that people hold a CISO position for an average of 18 months and the reason for that is obvious. This period coincides with the complete cycle of one IT solution procurement and implementation process, the results of which could demonstrate whether the CISO made a strategically correct decision or not. So choosing the right partners appears to be crucial for the survival of the CISO.

If your career goal is to become a CISO, the following steps should help you:

Remember to negotiate a security budget. The procurement decision of a security solution should not be based on costs alone, but on a qualitative analysis of the company’s needs, regulatory compliance, the cyber threat landscape and IT risks.

Become a trusted adviser in your company. Be aware of security risks to company data, and be able to identify and follow industry trends. Make strategic decisions: you cannot be focused on just a few problem-solving issues; you need to have a bird’s-eye view of all problems, at the same time. This also involves choosing an appropriate IT vendor, one that provides solutions, not just products.

Bear in mind that your organisation is a target. It’s likely, not just probable, that it will be attacked. You need a comprehensive security strategy in place. This should cover the whole corporate infrastructure, contemplate necessary changes to that infrastructure over time and leverage expert security intelligence to provide an effective defence.

Be prepared to find common ground with board members. You will need to communicate effectively on matters concerning IT risks and how they may affect the business, considering the bigger picture and the business’s strategic direction. Have an open mind and gain cross-functional knowledge and skills. Stop talking to the board in technical language and start using business language.

Be human. Build relationships inside your organisation and earn credibility. You have to lead your workforce on the way to a secure future. Remember that technologies cannot work without appropriate human behaviour so it is important to have your staff on your side when you make changes, or implement new procedures. If employees are resistant, be sure to educate them about your policies, to bring them on board. Importantly, the process of strengthening security should not have a negative impact on employees or prevent them from working efficiency, so listen to their concerns and implement processes to help them.

 

Jimmy Fong is channel sales director of Kaspersky Lab SEA.