This blog post is intended for anyone managing a chief information security officer (CISO) or looking to fill the CISO role. This might also be helpful if you're a CISO, and you feel like this is something you want to share with your manager or supervisor.
According to a recent article by The Wall Street Journal, 73% of CISOs report to have experienced burnout in the past 12 months. This may be part of the reason why the average tenure for a CISO hovers around 18-24 months.
The world needs security professionals, specifically, Chief Information Security Officers. Why is it that over two-thirds of the people in the CISO position are feeling burnt out?
There’s no doubt that the very nature of the CISO position is naturally predisposed to stress and worry, but in many instances, the manager of the CISO could be doing more to support the role and communicate expectations with them.
In my experience when it comes to CISO burnout, most of the issues happen when information security doesn't align with the business objectives. This is caused by some combination of lack of understanding by the CISO, and poor communication by their manager.
There’s a natural gap between management and information security, it’s like they are speaking different languages. In my opinion, the job of the CISO is to bridge that gap, to become the translator.
But that can be hard to do.
The Challenge
First, let me help you understand the challenges of being a CISO.
Stress and Pressure – CISOs can often feel like they have the weight of the world on their shoulders; like they are in this fight alone. They also feel like any mistake by any user at any moment could come back on them. That's a tough situation to be in.
Knowledge and Expertise – Many of us fall into the trap of thinking that a chief information security officer is a purely technical role. But we’ve found that for the CISO to be effective. They have to be able to bridge many different gaps in the organization. And to do that, they have to have six different skill sets:
- Cyber threats and security
- Information technology
- Compliance
- Banking and business objectives
- Risk management
- People and communication skills
That is a tall order for a single individual to possess, but without them, it will be difficult for the CISO to be effective in a financial institution.
Understanding of Value – As I said, many CISOs don't truly understand the business objectives of their bank or credit union. That makes it really hard to understand how they provide value to the organization, and that will make the Information Security Program feel disjointed, or out of step with the rest of the organization, leading to friction internally.
Being Understood – Many CISOs were put in the role because they are highly technical in nature, but that means that they may not have the business understanding and communication skills to clearly communicate the risks, controls, and strategy at an executive level. This can result in management feeling like they don’t really understand the state and direction of the information security program. Which is frustrating to both sides.
So how can you help?
Well, now that we know some of the challenges of being a CISO, we can begin to understand where they might need support, and what you as a manager of a CISO can do to help.
Establish a healthy culture – I talk about culture regularly in blog posts and it’s a frequent conversation amongst the Bedel Security team. Why? – Because it’s that important. You have to set a culture that understands that information security is hard. It takes effort from everyone. Incidents are a matter of when, not if. You need to explain to your CISO that you understand that and that you're with them along the way.
Explain business objectives – Information Security has to align with the general business objectives. How can that happen if the CISO doesn't understand what those are?
Are you looking to grow the financial institution organically?
Are you looking to acquire?
Or do you want things to stabilize?
Sit down and explain this to them, so they can be moving in step with you, not pulling in the opposite direction.
Get them involved – get your CISO involved with the rest of your management team. The more they can understand what challenges other folks are facing the better they can do at their job.
Help them pick their battles – You may have to coach your CISO on prioritization, and asking them tough questions like, “Is this really a big deal right now?” As I said before, CISOs often feel like everything is important because of the pressure they feel, especially if risk management is not one of their strengths (one of the 6 keys from above). This is not a feasible approach; if everything is important, then nothing is.
When your CISO can prioritize in alignment with the overall business objectives, they will gain credibility as a business leader with their peers and generally have better relationships throughout the entire organization.
Coach them on business, and communication – You may have to work with your CISO on how to effectively communicate, not only to the rest of the management team, but maybe even between you and them.
Have an honest discussion with them. If you don't understand what they're saying. Be confident and safe enough in your own situation that you can say to them, “I don't understand what you mean by this, and you're going to have to help me.” Explain to them that when they talk in acronyms, and use language that goes over the heads of the rest of the management team that it doesn't help their situation at all.
Care - We've talked to CISOs that say, “it just feels like what I do here is not important.” If it is important, you as a leader need to explain that to them from time to time. And thank them for what they're doing.
Closing
I hope you found this material helpful. If you're struggling to connect with your CISO or you're considering hiring a more formal CISO position in your organization and are wondering what it might be like to manage them, reach out and give us a call. We would be happy to help.
Or if recruiting, training, managing, and retaining the CISO role in your organization seems like a lot of work when you may not even need a full-time employee in that position, you may want to consider the virtual CISO or CISO-as-a-service offerings. If you're interested in finding out more, I suggest downloading our whitepaper or emailing us at support@bedelsecurity.com.