A lot is often made of the Chief Information Security Officer (CISO) being the most stressful job in an organization. And there’s certainly some truth in that. After all, CISOs have a range of challenges to deal with – and increasingly sophisticated online threats are only the tip of the iceberg.
A CISO – or CSO – is still a relatively new concept for many organizations. As a result, many find that their role and remit overlaps with other departments: IT, Risk, Legal or even Sales. And part of a CISO’s job is to report on where the C-Level heads of these departments may need to improve while one of those same individuals – usually the CIO or CFO – is often their direct boss. Often, organizations fail to recognise the diplomacy and tact the role demands – especially when a CISO or CSO is required to take ownership of or overhaul decisions and systems which existed long before they arrived.
The reality is that, despite the ‘C’ in their job title, CISOs are often C level in name only. In much the same way that, until recently, marketing was considered part of sales or culture as part of HR, CISOs are too often relegated to the kids table while the grown-ups talk in the boardroom. The stakes for CISOs are incredibly high: after all, the average cybersecurity attack on a company in the US costs in the region of $4.24million. Downplaying their strategic importance does nothing to help their mental wellbeing – or to challenge the false but enduring perception of the CISO as just another guy who can connect you to the printer.
Cybersecurity is a trillion dollar problem, and one that doesn’t discriminate by sector or organization size. Dealing with online security as problems arise in a kneejerk manner is no good for stress levels – and certainly no good for preventing breaches and the costs that come with them. Finding a solution requires attention and investment. The CISO role needs to be better understood within the wider context of company success and, for that to happen, cybersecurity needs to be treated as a strategic business area. In part, this means having the right resources to build and maintain a strong, standalone department; but most importantly, it means creating true C-Level CISOs who bring independent voices. These voices need to be heard when, and not after, big decisions are made.
It’s simply not good enough for companies to subject CISOs to insufficient budgets, an understaffed team and limited powers and yet also expect them to shoulder the blame when a cyberattack occurs. In this scenario, it’s hardly surprising to learn that most CISOs last less than 26 months in the job. Organizations need to put as much energy into retaining great cybersecurity talent as they do on finding and securing it in the first place. Until companies heed this vital lesson, they will never have the peace of mind that they need to plan confidently for the threats of tomorrow.
–
Aspiring or established CISO looking to be hired? At Cyberstrike, we’ll always advocate for talented cybersecurity professionals and defend their worth. Start a conversation and see where it could lead.
