Features 07.03.2023
Unpicking the Great CISO Resignation
CISO turnover is high, and a tenure rarely exceeds two years. But why? Dan Raywood investigates the concerning trend of the great CISO resignation
Features 07.03.2023
CISO turnover is high, and a tenure rarely exceeds two years. But why? Dan Raywood investigates the concerning trend of the great CISO resignation
First things first, at a recent non-executive director meeting, an experienced business leader asked: “what’s a CISO?” So, let’s address that for any readers scratching their heads at yet another acronym job title. A CISO is a chief information security officer or the executive responsible for an organisation’s technical resilience and cybersecurity posture.
In 2022, over the course of just eight days, it was reported that several US state CISOs resigned their positions, including those working for the states of Oklahoma, Georgia, Pennsylvania and North Dakota.
A Blackfog survey from November 2022 found that 32% of CISOs or IT cybersecurity leaders in the UK and the US were considering leaving their current organisation, while 41% had either left or were let go as a direct result of a cyber attack or data breach.
The reality of stress and burnout upon cybersecurity leaders has been well documented. The same survey also shows that 30% of respondents cited a lack of work-life balance among their reasons for leaving a CISO role.
Is the burnout factor leading to a resignation crisis? Brian Honan, CEO of BH Consulting, suggests that the unprecedented number of resignations could simply be down to CISOs finding better opportunities. However, the survey numbers only tell half a story, and it’s prudent to note that those US State CISOs had been in their roles for more than five years. Considering that the average tenure of a CISO, according to Huawei CISO, Matt Lemon, is just over two years, the five-year resignations suddenly look different.
“Good CISOs recognise the organisations with opportunities to develop themselves individually,” Honan says. “If they join a company and see that they do not have the opportunities and support, they can simply move on to the next role.”
Lee Barney, general manager of tech security at TPG Telecom (and owner of multiple CISO job titles on his CV), says that a successful CISO is like a chameleon, capable of moving between different organisations and making things work. “The most employable [CISOs] can move around, indistinguishable from other business leaders. They are inspiring and have good opinions on security and business, and [the ability to] relate the two,” he says.
If today’s CISOs are leaving to pursue other (better) opportunities, just how many vacancies are there, and are recruiters being bombarded with an influx of those seeking new roles? Owanate Bestman is the founder of cybersecurity staffing resource firm Bestman Solutions and has witnessed a trend of people seeking new positions over the past few months. Of all the areas of recruitment he has worked in, there’s “no community like cyber”, he divulges, noting conversations about which companies are best to work with are commonplace.
“Just because you have the title of CISO, it doesn’t mean you are [automatically] trusted; you have got to prove yourself, and that is no different to any other executive in a business” Lee Barney
Bestman says there are a variety of different reasons for a CISO leaving their role that are not necessarily unique to CISOs. These include discontent or unhappiness in their current role, seeking increased support, or looking for a new challenge in a more “green field environment” and the quest to “walk a path that has not been walked before.” There is also the more common contract seeker, he adds, who will come with a 12-month road map on what they want to do.
“What I’ve learned from savvy CISOs is they will embed themselves in an organisation,” he explains, and the even savvier CISO will come with a three-month strategy and know what they want to achieve.
One theme that cropped up in many conversations for this feature is the disconnect between the CEO and the CISO. It was said that often the CEO needs to learn how to engage with the CISO effectively and that perhaps the motivations behind hiring a CISO were not necessarily conducive (for example, hiring as a regulatory tickbox) to a healthy role or relationship.
Bestman says he often sees organisations searching for “unicorns whom they can slap a CISO title on”, when in reality, what they’re looking for (even if they don’t yet know it), is “someone to work on governance, risk and compliance (GRC) and work with regulators.” The appeal of hiring someone with the job title ‘CISO’, he explains, is seen to add “more gravitas and is more attractive when speaking to partners.”
Honan believes that the role of the CISO is relatively new to many organisations in comparison to other C-level positions like COO or CFO. The latter titles have “been around for much longer and are much more defined as a role. As a result, there is much more definition of the skills and experience to be in that role.”
The interviewees in this feature raised the frequent disconnect between what businesses expect from the CISO, and vice versa, which could be another explanation behind the great CISO resignation.
Jon France, CISO of the information security training and certification association (ISC)2, says that many businesses now fully understand the need for a CISO to be in place, even if they’re not entirely sure what that looks like. There is an understanding that ‘when not if’ a cyber attack happens, “it is better to have me in the organisation than not.”
The GDPR specified the appointment of a data protection officer, and there is now a proposed introduction of regulation which will require the presence of a CISO too. Recent proposed amendments to the cybersecurity regulation by the New York Department of Financial Services specify the actions of a CISO in the reporting and notifying of incidents, while an early draft determined that a CISO should be appointed.
France says that while there is no hard regulation yet, he is starting to get the sense that governments and regulators will require “cybersecurity understanding”, which has to be made at a business level.
According to a blog by Zubair Alexander, titled ‘What’s the cost for not having a CISO on staff?’, a 2021 attack on the Irish national health system cost at least $600 million, and a PwC independent post-incident review discovered that HSE was operating without a CISO. Instead, they had 15 inexperienced full-time cybersecurity staff members, including two students. There are, of course, zero guarantees that had there been a CISO in place that the attack could have been prevented.
Are businesses failing to take cybersecurity or the CISO seriously? Is that part of the problem? Barney says it isn’t. “If you take the average CEO of a large company and ask them if they take security seriously, they will say yes. If you ask them how they know they have taken security seriously, they will say they have employed a business partner to tell them when things are going right or wrong. That [partner] is the CISO.”
However, slapping a CISO badge on someone isn’t enough. It needs to be more than a title, with the autonomy to report into the CEO “when things are going right and when they are going wrong,” explains Barney.
Equally, the CEO has to trust those around them to do the job that they are doing. So, reverting to the original topic of the great CISO resignation, is a lack of communication or alignment to blame for the shed-load of P45s?
Barney refers to unrealistic expectations that some CISOs may take with them on their first day in a new role. The newly-recruited CISO may “go in thinking they are ‘all that’, and then they get there, they’re not, and so they leave because they are unhappy.”
“Those who say the business doesn’t take security seriously are those who don’t understand the business they are in,” Barney says. Those CISOs who expect the CEO’s full and undivided attention will be inevitably disappointed, he continues. “Just because you have the title of CISO, it doesn’t mean you are [automatically] trusted; you have got to prove yourself, and that is no different to any other executive in a business.”
So, how does this tie into the theme of the great CISO resignation? If CISOs feel they are not taken seriously, or the business does not have their best interest at heart, they’ll leave the job. If CISOs see a better opportunity elsewhere, they leave the job. If CISOs do not feel that their strategy aligns with the organisation’s strategy, they leave the job.
The question of whether there is a great resignation crisis for CISOs is interesting. Perhaps there’s just a truckload of new opportunities and vacancies presented to the more experienced CISOs, sparking some movement.
France says he is not picking up any vibe of mass resignations. Still, from data solicited at roundtables he has attended, he has detected that many CISOs move on after two years but often stay in their vertical. France attributes these relatively short tenures to challenge, salary and seniority. Tech companies, including cybersecurity firms, make good homes for CISOs, given an inherent understanding and appreciation for the value they can deliver.
People leave their jobs all the time in pursuit of other opportunities. This is a reality not unique to cybersecurity. It doesn’t mean there’s a great CISO resignation. In reality, the deeper issue of the disconnect between CISOs and their organisations is a tougher problem to fix. Respect, appreciation and understanding of a CISO’s role give an organisation the best chance of stopping their CISO from getting that two-year itch.