Building CISO Longevity
Industry studies and surveys consistently point to the average tenure for a Chief Information Security Officer (CISO) ranging from 18 months to 4 years. Several factors contribute to this relatively short average tenure compared to other key leadership positions, including: CISOs may depart to advance to better opportunities, to escape burnout from the demanding nature of the role, or because they are not in synch with their senior leadership.
Frequent turnover in any key role hurts an organization. With the increasing strategic importance and board-level visibility of the CISO role, longevity in the role is an organizational asset, and fostering endurance should be a goal. Having CISOs remain with an organization for an extended period can bring many benefits, including:
Strategic knowledge: A long-tenured CISO can accumulate a deep understanding of the organization's business operations and strategy, history, culture, critical assets, and risk appetite that enables the development of more effective security strategies.
Relationships and trust: Being part of an organization for a significant period creates the opportunity to build credibility and trust across business units, executive leadership, and the board. This helps gain buy-in for initiatives, resources, and embedding security into business operations.
Vision and maturity: A tenured CISO can bring the consistent vision and long-term mindset needed to see multi-year strategic plans through fruition and the maturation of the security program.
Comfort: A long-standing leader in this critical role can bring comfort to your board, your auditors, your cyber insurers, your legal and compliance teams, and the workforce.
Culture: Building and maintaining a positive approach within the security team and a strong security-aware culture across the organization are marathons, where steady and sustained leadership are needed.
Mentorship and stability: A long-time CISO can use their accumulated knowledge and understanding of organizational dynamics to be an impactful mentor for members of the cybersecurity team, sustain strong morale, and foster retention of top performers.
Given that CISO longevity is a good thing, how do organizations make it happen?
It requires shared effort and alignment by the CISO and the CEO.
The CISO must develop their personal habits and team to manage the pressures and responsibilities of the role. It is difficult to avoid flame-out or thinking the grass is greener elsewhere when you are continually stressed. Ways to keep the pressure from becoming stress include delegation, preparation, prioritization, and strong communication with peers and senior leaders. CISOs need to continually evolve their knowledge to stay current with the evolution of the business strategy and develop their art of constructive conflict and be able to speak openly with their CEO, board, and business leaders about issues.
Some critical elements of a CISO’s job are outside of their control, and that is where CEOs can be the difference between staying or going. The personal relationship and access are clearly important, but beyond that CEOs need to ensure they are positioning their CISO for success. Job level, reporting structure, resources, and compensation all need to correlate directly with the size and responsibility of the role. There are several annual surveys to provide comparisons, and looking at companies of similar size and industry can be helpful.
The benefits of retaining a seasoned and effective security leader are substantial. Organizations that can foster an environment where CISOs can thrive long-term are likely to reap the rewards of a more strategic, resilient, and mature cybersecurity posture.
Hold Fast
Stay True
-------------------------
Shameless Family Promotion: My brother Michael’s 40th novel was published this past week. Many of you may recognize his leading characters, Harry Bosch, Mickey Haller, and Renée Ballard from his books and Amazon Prime and Netflix series. His new book, “Nightshade” introduces a brand-new character, an LA County sheriff’s detective covering Catalina Island off the coast from LA. If you are looking for a summer read – here is your book!
