It was approximately one year ago that I made my decision to transition from a massive Fortune 100 organization to a security technology startup. There were many reasons for this conclusion. After mulling over such a change in my career path for nearly two years, it was also not a decision that I made lightly.
Since my transition and following the publication of now well-known articles from a few authors on the topic, I’ve been regularly asked to comment on the legitimacy of “CISO burnout”, it’s causes, and potential opportunities to improve the situation overall. In the hope that continuing this conversation benefits the larger community in regards to a problem that exponentially worsens every year, I wanted to take a moment to share some of my perspectives on this topic.
The short answer is yes.
Effective cybersecurity leaders and their teams have been protecting organizations against some of the greatest risks facing enterprise brands and operational viability for the last decade. The unfortunate fact is that up to this point, most have been doing so with very limited support. Many organizations that have yet to experience a public breach (often due to effective cyber teams and programs) or that are being guided by leaders that have also yet to be impacted by such an event continue to view security as a necessary evil that requires little understanding or involvement beyond the actual security team.
Note that I make no mention of dollars being spent or not being spent on cyber programs but rather on an enterprise’s willingness to consider managing security and data privacy risks as the new normal for all business and technology functions if wishing to remain an active and viable business and competitor in a market.
Large enterprises typically rely on annual planning exercises to determine company and department/function (e.g. HR) goals for the year, with leadership and employee bonuses often being directly tied to achieving these goals on time, on budget, etc. Failure to achieve such goals could mean lower personal compensation for a leader and potentially even members of their team. Such goals rarely include annual objectives to reduce cybersecurity risks or exposures in the area(s) for which they are accountable.
Unfortunately, this also means that regardless of the business exposures raised, recommendations issued, or direct offers to assist with the remediation of cyber risks associated with business initiatives, processes, or otherwise, security risk mitigation efforts are often the first to be sacrificed if annual goals are at risk of not being achieved.
Even if a breach should happen to be encountered and the impact of the event can be directly tied to risk assessments and remediation guidance shared with stakeholders, the cybersecurity team feels the pain of the event. This includes the responsibility to respond 24/7 to an event that could have been avoided, updating executive leadership and the board throughout the event, and finally, speaking to why the security team’s program failed to prevent the company impact.
Many of today’s security leaders began as earlier security practitioners; those that truly understood the technology itself, how it could be exploited for both good and bad, benefit or destruction, and what could be done to minimize the risks of the bad things coming to life. As such practitioners applied their craft within private enterprises, they learned to better apply what they knew about technology and risks to an enterprise’s business model, operations, and strategy. They developed business acumen and grew their passion against protecting the enterprise’s mission.
Once realizing that few other business or technology leaders among them shared their passion or desire to safeguard operations, brand, etc., the most successful leaders shifted their time to establish and maintain influential relationships across all enterprise areas that own risk or could influence risk owners.
Security leaders must establish long-term relationships with such leaders by understanding the breadth and depth of challenges and opportunities that they are facing, assisting them with such efforts wherever possible or logical, and based on the political equity earned, politically and strategically request their assistance with influencing.
Yes, all leaders must generally follow this playbook to be successful. This is also true whether leading a business or technology function. However, the key difference is that security leaders must use this playbook for nearly every big or small supporting effort that needs to be performed by another function.
Simply looking to business or technology functions to support the efforts without any outside influence is rarely successful for many of the reasons that have already been mentioned.
It’s also worth noting that with most CISOs rising from the technologist ranks, it may not be particularly fulfilling to spend the vast majority of their time focused on helping and convincing others to help convince others that an action to reduce enterprise risk; something that any ambassador for the organization, not simply security, should be concerned about.
The most significant of an enterprise’s technical exposures are typically longstanding (known about, yet unaddressed for years) and have been de-prioritized by IT functions for years. This isn’t due to malice, but rather the continued need to maintain an ever-growing landscape of technologies and meet an endless list of business integration and feature requirements.
For the last two decades, large enterprises have been growing through acquisition and have stitched together multiple generations of technologies in support of early value realization and future optimization. These future optimizations are rarely realized and high risk integrations and exceptions are in place for years. An ever-growing stream of new capabilities are being implemented and often integrated with decades old and potentially long isolated environments. The result? Business risk continues, the need to invest in additional security technologies grows further, and the complexity and stress associated with fending off thousands of attacks a day increases in kind.
Many security leaders and practitioners spend day and night thinking about and actively responding to cyberattacks that could bring down the business or the brand if any misstep is taken or they fail to deliver excellence in that moment. The number of enterprise attacks have been growing exponentially year over year. As a result, most experienced CISOs have been actively involved in dozens of attacks that if not identified and responded to effectively, would have been newsworthy events with massive enterprise impacts in terms of cost and loss.
Personal time with the family, including important milestones (e.g. weddings, graduations, etc.) have often been sacrificed more times than a CISO can count. This can have an impact on mental health, relationships, and the like particularly when the CISO or their team are rarely acknowledged in any fashion for the sustained above and beyond efforts that have come to be expected.
There’s much more to talk about regarding the root causes behind this widespread situation, but we’ll save that for a follow-up discussion.
With that, let’s pivot and talk about opportunities to improve this situation:
Sign up to receive the latest news