The Curse of the Decade for Many CISOs

The Curse of the Decade for Many CISOs

It’s often trying to go too fast with the wrong leadership baggage that drives CISOs to failure.

The cybersecurity narrative on social media remains driven by the misleading messages of tech vendors, and dominated by considerations of insufficient investments and challenges in convincing top execs. It has been the case for as long as I have been writing these columns.

In real life, many CISOs now face a very different situation.

The fact is that the penny has dropped in many boardrooms over the past few years, as we have written repeatedly in these columns: Cyber-attacks are now seen as a matter of “when”, not “if”, and this paradigm shift is engineering dynamics which are totally different to what CISOs might have experienced over the past decade.

In practice, it is not rare for the dialogue between CISOs and senior execs to shift overnight from “why do we need to spend this?” to “how much do we need to spend?”.

This is seriously more common than one might think in field practice, and is generally triggered by incidents, near-misses, regulatory fears or more simply, a new executive taking up a top position and daring to ask the questions nobody wanted to ask before.

For the CISO, elevated at pace from a firefighter role to a transformative one, and often given substantial means (sometimes by the same people who were denying them before), the situation can become a curse more than a blessing.

Because now expectations are high, visibility is raised and it is implied that execution needs to follow.

But execution often remains a challenge, in particular in large firms: Cybersecurity is a complicated beast, intrinsically cross-functional, which requires reaching across silos and geographies; something large firms are not particularly good at in my experience.

Many CISOs, trapped in the technical firefighting of data breaches with inadequate resources throughout the last decade, have not been equipped – at a personal level – to face a gear change of that magnitude, and at that pace.

Many were technologists by background have remained technologists, in spite of their claim to “enable the business” or to “talk its language”.

Nothing wrong with that, but transformational challenges require different skills to be credible and audible across the firm, and to drive the actual delivery of cybersecurity measures at the right place across IT, business units and support functions.

Managerial acumen, personal gravitas, political finesse, real credible knowledge of the business: Those should be the real attributes of the security transformational leader; more than their understanding of zero-trust or quantum cryptography (or whatever the hyped topic of the moment happens to be)

Many burnout and mental health issues affecting CISOs are rooted in that type of mismatch, aggravated by frustration and short tenures: You simply don’t achieve anything meaningful in a field as complex as cybersecurity in 18 months to 2 years. And you don’t learn much by leaving at the first hurdles in terms of management experience. And when the industry leads you to believe you are a “star” by allowing you to move from one job to the next always for more money up to some extravagant figures, you have the ingredients of a serious storm.

It might be counter-intuitive in the face of the transformative urgency, but CISOs facing those challenges need to take things slowly and give themselves time: It’s often trying to go too fast with the wrong leadership baggage that drives personal and project failures.

Business leaders will generally understand that complex transformation takes time, and value honesty and realism around timeframes.

The key for the CISO – as is often the case – lies in under-promising and over-delivering, splitting the delivery in manageable chunks and selling success along the way to build trust with stakeholders.

Trust and success, in turn, will become the true engine that builds confidence and drives the true dynamics of transformation.

Have Your Say: