CISO Expectations Are Becoming Impossible to Achieve

The multi-year rise in data breaches, ransomware attacks and insider threats has led to a surging global need for cybersecurity leaders to save the day. But here’s why the CISO ideal is harder than ever to deliver.

by / September 8, 2019

The following is a fictional job posting. Any resemblance to an actual public- or private-sector job posting for a CISO is purely coincidental. 

Wanted: An experienced, industry-leading Chief Information Security Officer (CISO) at well below what the market is paying when considering both wages and benefits.

This hacker guru, who excels at stopping nation-states and organized criminals from penetrating (very) vulnerable mission-critical networks, will lead a team of security staff who struggle in the fight against global adversaries and cyber war. Note: Filling existing team vacancies will be an immediate priority, but keep in mind that our budgets are tight, so hiring freezes will likely be imposed soon after you are hired.

This recognized expert in executive leadership, project management, team building, relationship management and budgeting will have a minimum of 10 years of professional experience (20 or even 30 years preferred) managing complex security operations centers, supervising large teams (although the team you will actually manage is rather small) and recovering from global cyberattacks that have devastated international business operations. Note: See these recent ransomware attack examples for more specific details of the challenges we are facing.

This exceptional individual should be able to mentor staff, build award-winning strategic and tactical plans, understand the complexities involved in the global banking system, stop cybercrime and speak effectively in front of large (internal and external) audiences in funny, compelling, and industry thought-leading ways. Note: Obtaining executive buy-in and speaking to media contacts, lawyers, accountants, college interns and the local PTA is a must. Expect plenty of after-hours meetings and numerous formal or information dinners (and lunches and breakfasts too.) And no, your spouse or family members or significant other is not invited.    

The CISO will coordinate, develop and implement corporate policies such as: information security, privacy, urban data management and whatever other policies we need for compliance (including, but not limited to, HIPAA, PCI, IRS and ISO 27002). These policies will be based on best-practices globally and a comprehensive understanding of all local, national and international laws that pertain to data, security, industrial control systems and the Internet of Things (IoT). Note: We expect this brilliant individual to keep up with relevant, emerging cyber startups in areas such as artificial intelligence (AI), quantum computing, 5G, digital assets (like cryptocurrencies) and other cool new stuff.   

A consistently positive, assertive attitude and ability to rapidly enforce security culture change within our enterprise is a must. This individual is also measured (required to score) an average of 4 (out of 5) on 360-evaluations from management, peers, business clients, external partners and internal staff. Any disagreements with senior executive management will not be tolerated. Frustration (and certainly fits of outward rage) will lead to an early dismissal for cause — without any termination compensation.   

Required professional certifications include: CISSP, CISM, ISSMP, CSSLP and C|CISO. A CRISC certification is strongly preferred but not required. This hands-on pro will also manage several vendor partners. Certifications in acquisition management from federal three-letter-agencies (such as CIA, NSA, DHS or FBI) including procurement management, legal provisions and complex contracts is strongly preferred.

Education shall include a master’s degree in computer science, cybersecurity or electrical engineering, but a doctorate degree in one (or more) of these fields is strongly preferred. Note: Please include several of your recent blog postings, articles and/or books you have written (along with your Twitter handle and LinkedIn profile and password) in your application on page 21. The forms are right after the FBI background check details, but before the release authorization for five years of family tax records.  

Speaking of background checks, proof of no criminal wrongdoing (ever) along with exemplary service to your community (shown via at least one nonprofit organizational award) is assumed. In addition, previous (successful) examples of leadership roles outside of work are strongly preferred — please list these references on page 37 of the application. Active involvement in non-political (but acceptable by our standards) social causes is encouraged before, during and after employment. Note: We are an equal opportunity employer, and all applicants are encouraged to apply regardless of ethnic background or religious beliefs.

Must be available for frequent travel and 7x24x365 access/availability even on vacations and holidays, should the need arise — and it will. Note: Out-of-state travel will generally be limited to under 40 percent of your time, depending on the number of domestic and international conferences you are asked to participate in.

Most important of all: The search committee expects this new CISO to ensure (in writing) that NO DATA BREACHES WILL EVER OCCUR ON YOUR WATCH! Any ransomware attack or phishing attack that is successful against any of our company staff or contractors (for the bad actors and against our organization) will be considered an unacceptable security incident for the purposes of your limited-term legal agreement. Note: This one-sided contract shall be signed on the first day of work.    

In the event that the search committee is unable to find qualified applicants that meet all of the stringent requirements for this CISO role, we reserve the right to waive any (or all) requirements and hire the best candidate from within. Note: If this alternate selection process is chosen, the selected candidate will be on probation and have one year to fully meet all position requirements listed herein.   

Expect 'other duties as assigned' to be added to this CISO role. Final Note: The qualifications committee is still working on additional requirements that will be discussed with applicants who qualify for a formal interview. 

Where Did This CISO Job Posting Come From?

OK, I admit that I went way over the top and (intentionally) embellished this CISO job posting to make my point. I certainly did not intend to offend anyone, but this description represents many of the unreasonable expectations that more than a few CISOs feel right now.    

Regardless of your views on my (attempt at) humor, expectations for chief information security officers (CISOs) have grown immensely over the past decade. Many goals and deliverables are virtually impossible to meet — especially in the public sector. Some experienced CISOs are even leaving the role (but not the cybersecurity industry) to become expert consultants in cyber.

Many CISOs are now in a “no-win” situation, and it feels like (beyond the job description), Iron Man or Wonder Woman couldn’t even succeed, given all of the challenges. CISO expectations from management have become unachievable, even as our security challenges get harder to address.

So why do I make these claims, and what can we do about the expectation problems? That’s what we will cover for the remainder of this blog.

Why Now? Examples Please?   

First, there have been dozens, perhaps even hundreds, of articles, books and white papers over the past several years providing analysis and guidance on why CISOs fail and/or what it takes for security leaders to succeed. Most of these provide a level of helpful analysis and good advice.

Here is one article I read recently from Rajeev Shukla on Peerlyst. I encourage you to read his well-done article, with helpful charts. Here are 11 of his reasons for CISO failure:

  1. Caught into "Product Panacea" mindset
  2. "Insufficient Understanding" of cyber areas
  3. Lack of vision, to create, "Program Frameworks"
  4. Over dependence on high cost "Consultants & Services"
  5. Operational oversight, caused by "Ineffective Delegation Model"
  6. "Lacking Personal Ability to Retain Talent" in key areas of cysec team
  7. "Hype Fancy" leading to unreal connection with ground realities of CySec
  8. "Critically Lacking Assertiveness" in keeping, defending and moderating a point
  9. "Hiding of Info/State" by their own team and own organizational elements, leading to chaos
  10. An "Inability to Navigate Politics" of the larger organization, and, implement/influence decisions/actions
  11. "Getting Caught into Politics" at the critical points, which demand, direct and assert resolution models

In this article, Nick Sanna describes how CISO expectations have changed.

SecurityRoundtable.org also explains: The evolving role of the CISO: From risk manager to business enabler.

ISSA offers some great advice and direction in their great CISO Mentoring Webinar Series, which covers a long list of topics from seasoned experts. I even participated in one of these podcast in this series in September 2015 titled: “The Top Five Mistakes New Security Leaders Make.”

And yes, I have written extensively on this topic going back to 2010 when I wrote a blog series for CSO magazine on the seven reasons security pros fail.

More recently, see: Wanted: Effective CISOs Who (Happily) Stay Longer.

Also, I offered input into this article by Joan Goodchild on 6 Steps Every New CISO Should Take to Set Their Organization Up for Success.

I could go on and on, but I’ll stop there. Feel free to google terms like “CISO failure” (or add success) and you will find many more articles and books on CISO requirements and what’s needed to succeed. These are all (hopefully) helpful pieces that make good points.

So What’s the Problem?

But taking a step back and taking them as a whole, these lists have become overwhelming and impractical to perfect.

Almost like diet books, this seemingly endless list of tips, tricks, ideas, and must do’s for CISOs to be an over-achiever isn’t going away anytime soon.

My concern is that no one — and I repeat NO ONE — can possibly do all of this. Expectations have grown to be (almost) like the job description at the beginning of this blog.

While I really like Rajeev Shukla’s article above, my heart sank when I heard this was part 1 of 5. (Part 1 alone seems overwhelming to master by itself.)

So should we just give up and not give advice? Of course not! But we must also balance these lists and problems with burnout and reality of a genuine security leadership career. Not all CISOs are created equal, and most will never be able to consistently achieve half of what we are preaching in these books, lists and articles.  

So yes, the pendulum is swinging back the other way for me. And others are saying the same things.

Consider these articles:

Delta Risk — CISOs Life: How are you holding up?

Nominet (UK): Four reasons not to blame CISOs

Nominet (UK): Life Inside the Perimeter, Understanding the Modern CISO, with this quote:

  • A quarter of CISOs worldwide suffer from physical or mental health issues due to stress
  • Almost a third fear for their jobs
  • Many feel that other board members don’t recognize the inevitability of attacks
  • More than half lack budget or resources to deal with a growing threat landscape

One Answer PLEASE?

So how can we deal with the data breaches, ransomware and critical system outages, along with associated media headlines, that have (sadly) become commonplace around the world?

Yes — CISOs are vitally important. Hire the best you can. Of course we need to hold CISOs accountable, but they also need lots of help and support.

CISOs are like quarterbacks on a football team. Good quarterbacks are leaders who inspire trust. They are often team captains with great skills and abilities.

BUT THEY ARE NOT THE ENTIRE TEAM.

The CEOs, CFOs and/or top government leaders, including elected officials, all have major roles to play, as do other parts of the technology and business teams. Organizations need to be “all-in” on cyber.  

The Deloitte-NASCIO State Cybersecurity Study has been done five times over the past decade, and the results remain the same again and again. Cybersecurity teams need more resources (dollars and staff), especially in government circles.

As Doug Robinson, executive director of NASCIO, recently said about successful cybersecurity programs at a NASACT Conference in Arizona, “Competence is also about governance, authority and continuity.”

Many of these factors are outside the control of appointed CISOs. These responsibilities are not just for CISOs — or even CIOs. The security and technology groups need lots of executive help from top elected officials and business and corporate leaders.

Final Thoughts 

My readers are familiar with my football (and other sports) analogies, as related to cybersecurity. Here are a few of my pieces on this topic over the past decade:

I list these articles again, because I truly believe that CISOs, just like many athletes, can try and do too much and succeed at very little. Quarterbacks take time to develop, and different players will have different strengths and weaknesses.  

Bottom line: We are now making expectations for this CISO role too hard — like confusing a new quarterback who just gets to college with a complex playbook. Good coaches know that it takes time to develop and learn and mature and be successful in any complex system.

And winning is a team effort.    

"Talent wins games, but teamwork and intelligence win championships." — Michael Jordan

Platforms & Programs