A CISO Mid-Life Crisis
This month marks my 6th anniversary as CISO. I’m as surprised as anyone. I thought, when I took the job, that I would perhaps be in role about 3 years. The fact that it is now year 6 has more to do with the culture of the organization (which is great) and the type and amount of work still to do (which is also great).
The statistics would say that the average tenure of a CISO is about 2 years. Some jump to another job for higher pay. Some jump for better corporate support of security. Some jump because they’re pushed.
I have another thought, and one that is both hopeful (for the industry) and concerning (for me).
We’re Getting Better At Security
Yes, I know there are a lot of news reports about companies being hacked and reporting their massive losses. There are, however, just as many companies NOT getting hacked and not reporting losses. I know, I know, what about the “there are only two kinds of companies: those who are hacked and those who don’t know they are hacked” trope? I think there is now a third category of company:
Those who have limited the effect of a hack to a resilient, manageable state that just doesn’t make the news.
Think about this for a moment. There are many companies, admittedly larger with more resources, who have made the strategic effort to invest in Security. The CISO has actually a “C-level” job, with the ability to support the mission of the organization with their expertise and executive-level skills. The Security function is funded, both in the security team as well as within all the other operational teams at the company. The Security function is embedded in all operational decisions. Cyber issues are accounted for in their executive crisis communication plans and business resiliency activities.
For these organizations, it doesn’t mean they are attacked less, or have perfect humans, or have all the money they want. For them, it means they’ve reached a point where, when stuff does happen, the impact is small, and it is managed as Business-As-Usual, not as an Oh-My-God-How-Did-This-Happen-Dumpster-Fire.
For the CISOs in these companies, their job is less about being an adrenaline junkie and more about being a business executive. Yes, there is still tech involved, but it’s in the context of where the business needs to go, what it wants to do, and how the Security function enables that vision. It’s not about black ops and obscure code and FUD. Those things still exist — but typically not in the CISO organization.
But I LIKE adrenaline! And herein lies the concern…
The CISO role isn’t what it used to be
Those of us who have been in the industry long enough to have a CISO title have typically been in the industry a couple of decades (sigh - I’m getting old) or more. When we started, the role of a CISO didn’t even exist (thanks Steve Katz) in most industries, and even if it did, it was seen as a Technical Role made up of Technical Folks who did Technical Stuff. That Stuff was usually very reactive, responding to this threat or that crisis. The vendor community hadn’t picked up the defense ball yet, so each security team was largely on their own to solve for the security problems, usually through the lens of infrastructure (application security would come later). What drew many people into the Security field was first the Technical Stuff, combined with the Emergency Response service need, combined with the Culture of Superiority that went along with the super-smart people in the community. We were special, and we knew it.
These same people are now sitting in board rooms talking about strategies and budgets and organizational change management. For some, this is exactly where they wanted to be all along, and the reality is that these folks are the most effective at managing Security risks for an organization. But, like the retired athlete who fondly remembers the glory days of their athletic hey-day, there are CISOs who are vaguely aware that something is missing. On the one hand, you don’t WANT a lot of firefighting, and hair-on-fire emergencies, because that would mean you’re not doing your job. On the other hand, a little bit of excitement would go a long way to re-energizing the profession and the professional. Right?
Should I Buy A Hot New Convertible?
So here I am, 6 years into this job, and I really like it. I have a great team who take care of Stuff with no drama, no fuss, and a high degree of professionalism. I have bosses who “get it”, and support Security in ways big and small, I can see the impact I have, and my team has, on the organization every single day. The organization does great things, all the time, and I’m proud to be part of it.
Now what?
Embrace New Technology
There are a lot of newer technologies emerging which will impact our ability to secure our stuff. 5G, Quantum Computing and its impact on encryption, AI, etc. I know, I know, the tech has been around for a while — but I would argue that it is only just now coming to a place where we Security folks can do something about it. So, a comfortable CISO can get uncomfortable really quickly by diving into this stuff. This isn’t about giving a direction to the team architects and leaning back and waiting for them to advise you. This is about rolling up your sleeves and going back to the future to personally dig in the technology.
Embrace the Physical World
We understand that the cyber world can impact the physical world — but too many companies still manage these domains in separate silos. You want an adrenaline rush? Work with your physical security teams to see how messed up we can make all our lives using the cyber techniques we already know. As Richard Clark notes, cyber is the Fifth Domain. Make sure you are connecting the dots to the operational technology groups, and the defense organizations in the federal, state and local communities.
See One, Do One, Teach One
Also known as “giving back”. Staying close to people who are new to the industry is a way to stay close to people who are inspired by the profession, amazed at the things we can do, excited by the possibilities. When you’re the CISO in the finance meeting discussion budget challenges, it’s nice to know the direct impact you will have on these people when you get the budget you want. Even better than staying close to these folks, take an active role in teaching them. It helps dust off old ways of doing/thinking, and gives you an opportunity to get back to concepts you’ve only forgotten about.
Also — teaching doesn’t have to be confined to traditional student groups. Think about all the cyber-security startups that THINK they know what a CISO wants, when they really don’t. Help them avoid landmines by advising to these groups (and their VC backers), and be part of the innovation culture that is doing such amazing stuff.
Help a Buddy Out
If your organization is in the “vanilla ice cream” state of Security, go find folks in an industry that is still in the “chunky-monkey” state, and help them out. Can I suggest that your local state government, or your favorite non-profit, could probably use your help. Budgets are tight, technology is old, and leadership is often less than tech-savvy. You can make a big difference to a lot of people. You’re likely to run into some firefighting, which is fun (!), and you are likely to make a big difference with a small amount of effort, which is satisfying.
There will always be CISOs that jump from job to job looking for the next thing to fix, or the next paycheck, or the next rung on the career ladder. I would suggest that, as more of us arrive where we want to be, we will have to make a choice about staying in role longer while still finding professional satisfaction. This is difficult if you’ve been raised on a diet of going crisis-to-crisis, looking for the next emergency to resolve. Finding a way to stay engaged and enthusiastic when things are going well is a new challenge for many of us, but so worth doing for our organization’s sake, as well as our own.
May it be so.
-July 2019
