When CISOs are doomed to fail, and how to improve your chances of success

There’s a joke cryptographer Jon Callas likes to tell: CISO stands for Chief Intrusion Scapegoat Officer, “because CISOs are often thrown into a position where they can’t succeed.” Callas, who is the director of public interest tech at the Electronic Frontier Foundation, says that security officers are often “simultaneously in charge and powerless.” They know what they should do to mitigate risks, but they can’t get enough support.

This predicament threatens to overwhelm them. Almost 90% of CISOs consider themselves under moderate or high stress, and many change jobs often. According to the Heidrick & Struggles 2022 global survey, almost a quarter of CISOs have held their previous position for less than two years and 62% have been in their current role for less than a year.

“It’s important to fix potholes, because sooner or later somebody’s going to fall into the pothole,” Callas says. “Most of the threats that we face are, in fact, statistical ones; they’re just waiting for somebody to trip up.”

Despite the billions of dollars lost each year to cybercrime, many organizations still think that hiring a CISO is nothing more than a box that needs to be checked. Once they do, they operate as if security is solved. “Companies have to understand that it is in their benefit to back up the CISO,” Callas adds. “And CISOs have to earn trust as well.”

Chief information security officers can employ strategies to increase their chances of success and identify red flags. Here are some of them:

Look for signs of a bad CISO job

Sometimes, CISO candidates can spot a bad employer during the interview process. “You are not only trying to convince them that you are the person they should hire, but you are interviewing them,” Callas says. The recruiting process is just like zero-knowledge proof, because neither side wants to be upfront about what is going on. One of Callas’s priorities is to learn how much the company cares about security, and he does that by asking direct questions. One time, an executive he talked to admitted that management did not want better protection.

A typical question potential CISOs are asked is what they might do in a difficult situation such as a breach. When Callas hears this, he smiles and says: “Has this actually happened?” Sometimes they’ll say, ‘Oh, no, no, no,’ in a way that you know means yes,” he adds, “and every so often, you get the person who looks around and says: ‘Let me tell you what’s really going on.'”

Another priority should be understanding to whom the CISO reports: the CEO, the CFO, the CTO, or even the legal department. “[This] tells you a little bit about what they expect you to do,” says Chip Gibbons, CISO at Thrive.

Even the role of the person conducting the interview can be telltale. “If I’m just being interviewed by people within the IT function and not adjacent leaders, like the CFO or chief people officer or chief revenue officer, that would be a big yellow flag for me,” says Eric Noonan, founder of CyberSheath and former CISO for BAE Systems. “They’re not there yet in terms of their cultural engagement on the issue of cybersecurity.”

It’s also good to ask about the organization’s risk posture because it might help to understand if the management has thought about security risks. “You [might] get this faraway look in their eyes: ‘Huh, yeah, so security risks…,'” says David Stapleton, CISO at CyberGRX.

Other questions could be focused on the budget, staff size, and employee retention.

Negotiate achievable security KPIs and use numbers

One of the first things CISOs should do after they get a job is to negotiate key performance indicators (KPIs) and “make sure they are achievable,” says Michael Hamilton, co-founder and CISO of Critical Insight. “A good set of achievable KPIs is knocking off all the things you need to do annually.”

Then, the CISO needs to understand the tolerable risk level for that organization. They also have to do a risk assessment and translate the problems that need to be fixed into numbers. “When you conduct a risk assessment, you find gaps in controls, and so you say: We have a million records in the database here, therefore we have a potential liability of $200 million,” Hamilton says. “I’m going to ask for funding for controls to cut that risk in half. We’re talking about $100 million in risk reduction for an outlay of $50,000.”

The proposals for cutting risk should align with the mission of the organization and should be prioritized. “You need to frame your ask in terms of what’s in it for that person and not for you,” says Trevin Edgeworth, red-team practice director at Bishop Fox.

Use compliance to make a case for security spend

Board members and C-level executives are often hard to persuade to allocate more funds to cybersecurity and talking about the importance of multi-factor authentication might not melt their hearts. However, including compliance in the conversation might give weight to a proposal, because all the managers, from HR to engineering, know that compliance is essential to the business. “I always try to encourage CISOs to tell the story through the lens of compliance because everybody understands compliance,” Noonan says.

Find people who want to support the CISO

Every organization has people who believe in security and want to support the CISO. Callas’s advice is to find them, work with them, and help them become successful. He also suggests going to a benevolent department lead, asking them to allocate a person for a couple of hours each week to assist the security department. “The bosses would usually say: ‘Oh, yeah, I can deal with five hours,'” Callas says. “Find the things that everybody agrees ought to be fixed, and yet no one is doing it.”

Each project a CISO helps should be seen as an opportunity and should be celebrated. As Callas put it, “find a small success and start to capitalize on it.”

This strategy aligns with that of Tonia Dudley, internally promoted to CISO at Cofense. “When I first took on this role, I immediately had a couple of people [within the company] reach out and say: ‘Hey, we want to connect with you,'” she says. “So, one of the first things I said to them is that I am about collaboration and partnership because I want to make sure that we’re both successful.”

Working as a CISO also means being a “therapist” from time to time. “People are going to come to you with their horror stories and not knowing what’s going on, and you have to let them unburden their troubles,” Callas says. “You have to say, ‘Yes, that’s awful, but you’re not a bad person [because of that mistake]. Let’s work on making this better.'”

Learn to have difficult conversations about security

Nobody likes to contradict an influential person within the organization, but sometimes it is necessary. “You have to learn how to be able to get in a room and really have a conversation,” says Renee Guttmann, former CISO of Coca-Cola, Time Warner, and Campbell Soup. She suggested the following sentence structure: “I understand your position. I think that we can both agree on X, but maybe we don’t agree on Y.” Another way to put it is: “I can see your point of view, but here’s another way of looking at it.”

Guttman even adopted a strategy for situations in which she disagrees with the person she reports to. Whenever this happens, they schedule a meeting with the CFO and the head of legal, inviting them to break the tie. Sometimes, the thought of going through such a meeting can dissuade her opponent.

Seek voices from the outside

Despite a CISO’s best intentions, at times, they can’t make themselves heard. When this happens, one idea is to reach out to experts. “Sometimes you have to bring out a voice from the outside to help you make your case,” Guttmann says.

Gibbons agrees, adding that well-respected voices within the security community and consultants can advocate for CISOs, precisely because they are outside the organizations. “Bringing in consultants is a good way to get other opinions and convince the board or C-level executives to do what needs to be done,” he says. “That can definitely help, even though people get nervous bringing in consultants, which I understand.”

It’s also good if the CISO has a high profile within the cybersecurity community. “Be outward facing; be known to the media and regionally as a speaker,” says Hamilton. “The more you seem integrated into the security community, the more you can bring back information that’s been shared, and you become more valuable to the organization.”

Send three thank-you notes on a Friday

Connecting with people can be daunting because many CISOs have a highly technical background but haven’t put a lot of emphasis on soft skills. Being an effective CISO doesn’t mean only solving technical problems. It often involves solving business problems and people problems.

“CISOs probably need to focus the most on their people skills,” says Ken Deitz, CISO at SecureWorks. “It’s hard, because folks that tend to have a career track in a highly technical field tend to be a little bit more introverted than others.” One way to improve your people skills is to practice. “Start introducing yourself and start trying to build an agenda around rapport building,” he says. “When you come to a meeting, make sure you’re coming with the mindset that your job is to help make their job easier, and you’ll find that they’ll reciprocate pretty quickly after that.”

Perhaps the easiest way to connect to people is to show them that you value their work. Guttmann made a habit of sending three thank-you notes each Friday to a team member, a colleague working in infrastructure, or a client. “And every time there’s an event, you need to make sure that you have slides that recognize other teams,” Guttmann says.

She draws strength from her team. “I was always information security; I was never Renee.”

Seek mentorship

Mentors can help CISOs feel supported and sometimes offer different perspectives and viewpoints. Whenever he enters a new position, the first thing Stapleton does is look around to identify a potential mentor. He’s particularly interested in people with impressive careers who can balance stress. He then goes to that person and requests mentorship. “I’ve never once been turned down,” he says, “and I don’t think it’s because of anything special that I’m saying or doing. I think it is partially because that’s a pretty flattering thing.”

Gamify security

At times, it doesn’t hurt to “gamify” security. Edgeworth recommends finding relevant metrics and introducing prizes such as T-shirts, medals, or trophies internal teams can compete for. For instance, whichever team reports the most phishing attempts will win a prize. “Then, every month, you issue an award,” he says. “I’ve even known a CISO who has a trophy of a fish.”

The strategy can be effective. “You would not believe how quickly they bought into it,” Edgeworth adds. “[The team leads] go back to their teams and say: You are going to report every single phish, and you’re not going to click on any phishes.”

Fight imposter syndrome

Despite a CISO’s serenity and sense of humor, the job’s complexity makes these professionals susceptible to impostor syndrome. “It’s such a broad field, and there are so many different things you have to try to get your hands around,” says Stapleton. “People can be experts in thousands of different niche areas of cybersecurity, so we’re constantly confronted with our peers who seem to know things that we don’t.”

This can be intimidating to people new to the CISO role. “You’ve got to find a way to turn the volume down on that negative, doubtful, internal voice,” Stapleton adds.

Impostor syndrome is significant in cybersecurity and can hinder anyone’s ability to get the work done. Sometimes, seeking validation or resting can help.

Know when to quit

There are also situations in which CISOs can’t move the ball forward anymore. “If you’re consistently trying to make the point in the best interest of the company and you’re not being heard, if you find that other executive peers undercut you, those are indications of poor security culture within an organization,” Stapleton says. “And if it’s at the leadership level, that is very difficult to suss out and change.”

Callas agrees: “If you are just being Sisyphus, if you are pushing the rock uphill, and it slides down again, it might feel like no progress, you might also just say: I want to go somewhere else.”