How to Manage a CISO to Avoid Burnout
This blog post is intended for anyone managing a chief information security officer (CISO) or looking to fill the CISO role. This might also be...
The CISO position has been around for some time now. Despite that, the role in many organizations is still maturing. Some companies still don't have a CISO, and for those that do, there are some growing pains when it comes to how this critical role fits in among already existing members of the C-Suite.
The Chief Information Security Officer (CISO) is a leader of the cybersecurity and information security program, who manages risk while finding ways to achieve business initiatives. By this definition, the CISO must work collaboratively with other leaders and executives in the organization to be successful.
But, in talking to community banks, there is an avoidable mistake that many new CISOs (less than 18 months in the position) are making that jeopardizes their ability to be a contributing member of the team.
That mistake can be summarized with one phrase: Lack of Priorities.
There are numerous skill sets that every CISO must possess. But we've heard and seen time and time again, that without proper prioritization, their effectiveness can be impacted in a big way.
One of the key functions of a CISO is to identify areas of risk and clearly communicate those risks to other members of the management team. Without priorities, that communication gets really foggy. This can cause several negative results:
While every CISO is different, and personality traits can play a factor, there are some recurring causes to this approach:
The management team will want to prevent this situation with their CISO at all cost. Going down this road means you'll have an ineffective member of your team for about 6-12 months as you figure out what to do with them. And every manager knows that turnover is costly and difficult. Even if you commit to fixing the problem after it is started, it will be a long process to re-establish their internal credibility (and it may not work at all).
There are several things that can be done to avoid this:
This blog post is intended for anyone managing a chief information security officer (CISO) or looking to fill the CISO role. This might also be...
Being the founder and CEO of a virtual CISO firm, I get asked questions about professional development from time to time.