Last week, during a SoSS report pre-briefing, Chris Eng was discussing our prediction around CISO tenure and said: “Who wants to be a CISO these days, not me.” Even with SoSS Vol5 predicting CISO tenure would shrink, it was shocking to hear our research VP make such a statement.
Our CISOs tenure prediction is based on the fact that major breaches, or even a string of minor ones, can wreak havoc on a CISO’s career. Our research shows that new software isn’t being developed securely. There’s a 70% chance an app being tested for the first time will have some significant and exploitable vulnerabilities. I don’t know about you, but I like to carry an umbrella when there is a 70% chance of rain. With those odds it’s easy to predict a significant breach is in the future – it’s really hard to succeed as a CISO when there are a constant string a breaches occurring under your watch.
Breaches also throw a wrench in any strategy a CISO has – everything gets put on hold until the clean up gets done. Any role with “Chief” as the first word should not be a ‘deal with daily disasters’ job. They should be agents of corporate change operating with a strategic plan.
Consider all the application security related change which CISOs should be enabling. They should be working to change internal development organizational cultures from one of “time to market always trumps security” to one of actively managing software risks and pride in creation of rugged code (Who Creates a Successful Application Security Program?). Changing how enterprises procure software from commercial software vendors and outsourced development firms – in some cases creating the third-party security policies and procedures for the first time – in other cases putting the capabilities in place to enforce existing security policies for the first time. Figuring out how to support the enormous wave of BYOD by managing the risk personal mobile app downloads pose to business’ mobile apps and data. Not to mention CISOs must adapt their business protection schemes because the threat landscape is constantly changing. CISOs also deal with the added problem of being change agents in departments where they typically have no direct reports (development, procurement, etc) and have little budgetary weight to throw around.
In large organizations, it is really hard for a new chief of anything to achieve meaningful results in 18 months. Conventional wisdom suggests that the first year is learning about the job and forming a viable strategy. At best a new chief can identify and implement a few tactical projects that could be foundational in those first 12 months. If the CISO tenure is really 18 months or less it means that the role is in a constant state of implementing stop gap measures – instead of being the strategic agent of corporate change that the job actually requires.
So after thinking about all of this I can understand where Chris’ sentiment comes from. Being a CISO is no easy task. So to all you brave souls that are Tackling the Culture of Insecurity with a Chief in your title – I salute you!