The First 100 Days of the New CISO: Expectations vs. Reality
The situation the new CISO finds on arrival is often different to what they were expecting, but who’s to blame?
A painfully recurrent complaint among Chief Information Security Officers (CISO) is the disconnect between what they were promised during the recruitment process, and the actual situation they find upon starting the job.
Indeed, it is quite common to hear freshly-hired CISOs blame their less-than-smooth transition into the role on “broken promises” (some explicit and some simply assumed) such as inadequate resources or insufficient attention dedicated to cybersecurity by key stakeholders.
This is a real issue, as it often results in CISOs not staying long-enough in the job to drive any real or lasting change, and leads to the long-term stagnation of the cybersecurity posture of many large firms and of the InfoSec industry at large.
There are several possible reasons for this disconnect between what a new CISO is told, and what they find on arrival:
It might be that the very stakeholders who supported the recruitment of the new CISO into the role are gone by the time the CISO starts. This is not uncommon within large organizations where people – and the priorities they push for – tend to come and go. Little can be done about this – except trying to gather support from new allies within the firm – but it can be very unsettling for the CISO.
Another issue is that hiring managers may not be sufficiently cybersecurity-savvy to frame and express precisely what they are looking for in a CISO. It may result in a misalignment between what the CISO thinks they are in for, and what is actually expected of them. This is often used as an easy excuse by recruiters for an inadequate hire and begs the question of whose fault it actually is.
Beyond those reasonably common issues which could affect any senior position, there are more fundamental problems around cybersecurity senior roles:
Plaguing the whole security industry is the issue of semantics. In cybersecurity, the same term is often used to mean drastically different things – sometimes leading to profound misunderstandings between parties.
Challengingly for the CISO, for example, the concepts of risk or threat can mean different things to different people and quite a lot can end up “lost in translation”: For an excessively tech-oriented CISO with little managerial experience, “threats and vulnerabilities” could mean ”hackers, ransomware and missing patches” while for their management, it could mean “fraud, insiders and lack of managerial supervision”…
More generally, it could also be that the CISO are part of the problem in that they do not listen enough to key stakeholders to understand what is actually expected of them, often merely focusing on the technology front because it’s their comfort zone or their pet subject.
If what’s expected of them is to step up as a transversal change-agent, it could become a significant drawback for the CISO and a major source of disappointment for the people they were hired by.
This is the typical type of situation where distrust sets in and the promised resources or budgets do not materialize, leading to more frustration for the CISO.
Conversely, there are still some organizations only looking for a CISO with a highly technical profile to deal with the daily tactical firefighting. In such a context, trying to push for an ambitious cybersecurity transformation plan that the organization is not ready to accept or even understand, could be quite complicated.
An agenda of governance and cultural change could be what the organization needs, but the CISO should not be surprised to be met with reluctance, incomprehension and politics.
They should instead roll up their sleeves and start working relentlessly on convincing, engaging, and finding allies, while addressing tactical quick wins. This is the type of situation where proving your worth by getting your hands dirty could break deadlocks.
Both the CISO and those who hire and manage them must therefore engage in some healthy self-criticism around “broken promises”, and most importantly clarify any misunderstanding between them as early as possible.
Leaving after a couple of years – or less – because the CISO doesn’t feel empowered or think they’ve been mis-sold the role does not seem like the right managerial attitude, and the situation has the potential to become self-perpetuating…
Trying to identify and address the underlying misunderstandings and roadblocks would be more beneficial, both to the organization and the individual.
Only then will the CISO be able to feel – and in fact be – successful in the role (and those to come).