On average, a CISO lasts for 18 months in the job – this is evident from our market monitoring at CSA CPH. Thus, the CISO role has become one of the major job hopping positions of our time.
Why is that?
Are CISOs opportunistic career climbers chasing the next pay increase in a market where the wages are rocketing (22% over the last 2 years) – and who are therefore exploiting the major demand for qualifications and experience?
The answer is no. Most CISOs are anything but. They are people with a great sense of responsibility and moral who are driven by making a difference – driven by making society a safer place for companies as well as citizens. They take on this responsibility in spite of the challenges that come with this role and in spite of the fact that it is a job where you are never really off the clock.
So, what is that makes the CISO role so thankless that many quit after a short time? In our dialogue with the CISOs, we have heard the following explanations:
Lack of resources: The lack of resources and qualified employees within IT security is a well-known and often mentioned problem. It is a struggle for the CISOs to attract the necessary specialists. Furthermore, the headcount allocated to this area is often of a negligible size. Moreover, many small and medium-sized companies in Denmark are of a size where it would not be justifiable to have a team of 3-4 employees, which is often the level required to cover the various areas of specialisation in this area. Thus, the CISO will often end up spending a disproportionate amount of time on ensuring resources, recruiting, training and then losing employees again.
Alone in the role: In most small and medium-sized companies in Denmark, the CISO has to handle the responsibilities alone – i.e., perform all tasks from operational security to supplier management, compliance and governance. Once the CISO’s role becomes this broad, it will obviously be difficult to deliver and ensure quality – and thus be successful.
Many first-time CISOs are not prepared for the extent of the role: Obviously, they have limited experience. They are often strong in a selection of the professional subject areas, but they hit a wall regarding getting their agenda approved by management. Often, they are surprised by the fact that they do not only have to battle against unknown external opponents and old technologies, but also have an internal struggle against management and board to deal with.
Management wants quick fixes at no cost: A challenge that requires a lot of energy from many CISOs is that management has no idea of the extent of the task, and they prefer a quick and inexpensive solution instead of investing in what could ensure a basic and more long-term security level in the organisation. Particularly manufacturing companies are still burdened with significant technology debt from old legacy systems, and combined with having to keep up with development, the task becomes extreme.
A race with time – you are never off the clock: When working with IT security, you are up against an external opponent that you do not know, who never sleeps and who can strike you down without you knowing that you are a deliberate target. As a CISO, you are up against a threat assessment that is constantly changing, which requires you and your team to be on the job non-stop.
Focus on reporting on business terms: The role has developed from being a technical task that required technical qualifications to being a management task that requires focus upwards, downwards and broadly. In order to succeed, a CISO has to be able to report based on financial and business oriented KPIs and be good at spending energy on stakeholder management. It is no longer enough to propose the best possible technical solutions – a CISO has to be prepared to be convincing based on financial arguments and KPIs.
Limiting factor for development: IT security is an area attracting a lot of attention, but at the same time, a CISO should not limit development, which usually involves digitalisation. And YES – when you are dealing with digitalisation, security is a part of the equation, but is considered a limitation rather than a basic necessity. Security is rarely included from the beginning of development projects, and often, it is a struggle for the CISO to become involved. If at a later time, security issues occur, the CISO will be the one getting blamed. Consequently, everyday life for a CISO is filled with fights with engineers, creative employees, business developers and an IT development that is constantly in flux.
An area filled with secrecy: Companies do not want their weaknesses and vulnerabilities to be on display, which makes it difficult for the CISOs to share experiences and achieve professional discussions based on specific problems. Thus, the exchange of experiences will remain in general terms.
Tangible and direct consequences: As a CISO, you have to live with the constant fear that your company might be the next to experience a breakdown. All companies are subjected to attempted attacks – will you be the next to be criticised in the media and have to deal with the major financial consequences following a breakdown? No matter what, the CISO will always be perceived as the person who was not able to do his/her job well enough.
The list is undoubtedly longer than this, but the above statements from CISOs interviewed by CSA CPH already provide pretty good insight into why this is in many ways a thankless role. In addition to an intangible external threat, you are struggling with internal agendas, access to resources, limited powers, technology debt, management who does not want to face facts, and probably much more.
IT security is definitely increasingly on the agenda among managements and boards, and in the media spotlight, but it does not seem as if this had made it any easier to be a CISO, on the contrary. This has just added a new dimension to the role that most are not equipped to handle, neither professionally nor personally – and do not have the time to handle.
From our perspective, the consequence is that many choose a freelance career. Among other reasons, because they cannot or will not take on and live up to the responsibility of the CISO role. This means that we will not achieve the required learning environment in this country where the CISOs grow with the management task – which also means that when we fill the CISO position, we have to look abroad in order to find candidates with the necessary experience.