Why CISOs change jobs

Being a CISO is a hard job. You must constantly balance business, technology, and regulatory requirements against things like employee and adversary behavior. You can be a superstar, build a world-class cybersecurity program, and follow best practices, providing exceptional protection for the organization. Despite this excellence, a single employee can click on a malicious web link, share a password, or misconfigure an asset, leading directly to a successful cyberattack. When this happens, it’s your fault.

Yup, CISOs have heavy responsibilities. How are they dealing with this burden? Not very well, according to research from ESG and the information systems security association (ISSA). The data reveal that 57% of cybersecurity professionals believe their organization’s CISO is only somewhat effective, not very effective, or not at all effective.

CISO performance depends on the situation

Reading between the lines of the research, it appears that lackluster CISO performance is often situational, and it creates a lot of the churn we see as CISOs move from job to job. Using the ESG/ISSA research, we can dig further into suboptimal CISO performance and attrition simultaneously. When asked why CISOs tend to change jobs every two to four years, security professionals answered as follows:

• Thirty-three percent believe CISOs change jobs when they are offered higher compensation at another organization. It’s all about the Benjamins in many cases, which may have nothing to do with job performance or satisfaction. I heard lots of examples of CISOs being offered up to 40% more to move on. It’s hard for CISOs to say no, so it’s incumbent upon CEOs, boards, and HR executives to remember that strong CISOs are the sexiest of catches. There will always be suitors, so the C-suite must monitor the hiring landscape and continuously assess what it can do to keep a successful CISO happy.
• Thirty-one percent believe CISOs change jobs when their current organization has a culture that doesn’t emphasize cybersecurity. Clearly, a CISOs’ job performance is highly correlated with cybersecurity culture. If it’s not there, employees will run amok, security will be glued onto applications upon production deployment, and the security team will remain in emergency mode — not exactly a healthy work environment. CISOs can influence culture but CEOs (and HR) must drive cultural change. If this isn’t happening, CISOs can’t do their jobs and head for the exits.
• Twenty-nine percent believe CISOs change jobs when the cybersecurity budget is not commensurate with their organization’s size. Money can’t buy love but when spent wisely, it can help bolster cybersecurity protection. Don’t get me wrong. CISOs can and should manage and maximize expenses, but there are limits to what they can do. A chronically underfunded security program indicates a communications gap (i.e., CISOs can’t adequately explain what they need and why they need it), or more likely a philosophical gap (i.e., CEOs and boards don’t believe the organization is a target). Either way, CISOs can’t turn water into wine and tend to seek out “greener” pastures from a budget and situational perspective.
• Twenty-seven percent believe CISOs change jobs when they are not an active participant with executive management and the board. There’s a pattern here. When CISOs are not engaged with executives and the board, business decisions eschew things like cyber-risk management or threat modeling. CISOs are perceived as “Dr. No” and can’t adequately protect the business, while the cybersecurity team lives in a constant state of firefighting. CISOs tend to move on from this “can’t win” scenario.
• Twenty-five percent believe CISOs change jobs when their organization treats cybersecurity as a regulatory compliance. Hello, 2006 calling. Most organizations have moved on to understand the difference between strong cybersecurity and compliance checkboxes. Alas, some haven’t. This is a potential career killer so smart CISOs move on quickly from compliance-centric firms.

CISO job search red flags

To be blatantly obvious, CISO success and tenure are highly correlated to executive management decisions at their organizations. While I’m sure that CISOs get a rosy picture from headhunters, HR managers, and executives during the interviewing process, savvy security executives probably know if they have any chance for success within the first few weeks. At that point, doubts are often followed by resume updates and career development plans.

During their job search process, CISOs should also watch out for red flags. If an organization has had several CISOs in the last five years, it could be that predecessors found more money elsewhere. Alternatively, maybe cultural, budget, and management hurdles make organizations a CISO “no man’s land.” Caveat emptor.