Most security leaders change organizations every few years. The reality is that people leave jobs for many reasons. Here’s why this often becomes a problem for enterprises, the CISO or both.
For chief information security officers (CISOs) and other security leaders, the grass often looks greener on the other side of the fence.
But is it really?
No doubt, new professional opportunities are plentiful within the cybersecurity industry for those with the right skills and experience. But is switching organizations (when the going gets tough or the price is right) always the best road to take? Career decisions can be difficult to make and usually include a complex mix of work relationships, team chemistry, total remuneration packages and family (home) life topics (work/life balance).
Meanwhile, both the public and private sectors have grown accustomed to a revolving door regarding security leadership every few years. Some executives write this problem off as an inability to offer the right pay packages to keep top talent. Other times, security leaders get forcibly removed as the “fall person” after an embarrassing data breach or a major cyber-incident or wider management shake-up.
The reality is that people leave jobs for many reasons. Nevertheless, why do security leaders tend to switch jobs more than most other professionals? This article from CSO magazine lists the top reasons that CISOs leave.
This techrepublic.com article from last year lists the top reasons that 60 percent of IT security pros want to leave their jobs right now. “The main reasons cited by the IT pros who wanted to leave were job dissatisfaction and the lack of growth opportunities within their companies. Other top reasons for employees looking to quit include unhealthy work environments (53%), absence of IT security prioritization from executives or upper management (46%), unclear job expectations (37%), and lack of mentorship (30%).”
And digging deeper, could constant changes in security leadership be a major contributing factor in the surge in expensive cyber-incidents? Could security staff turnover lead to more global data breaches? Is switching companies every few years helping to stop cybercrime or making things worse?
While every situation is different, CISOs seem to be swapping roles faster than professional football, baseball and basketball athletes change teams in free agency. Taken as a whole, this fact seems to point to cyber concerns worth considering by all of us — before it gets personal.
So how bad is the problem? Let’s start with some numbers from different surveys over the past few years.
Last year, this SecureLink blog wrote their view as to why the average tenure of CISOs (from a CSO magazine reference) was only 18 months. Here’s an excerpt:
“Though a CISO's responsibilities may differ from company to company, the core role is well defined; a CISO is essentially a senior-level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy. So it stands to reason that the CISO role is often held accountable when a data breach, of any form, occurs. In fact, according to a survey reported by Tripwire, 21% of IT decision makers would most likely blame a data breach on the CISO. Remarkably the CISO position is second only to CEO when it comes to perceptions of accountability after a cyberattack. This goes a long way in explaining why the average tenure of a CISO is a mere 18 months. …”
This CIO magazine article claims the average tenure of a CISO was 17 months in 2015.
This 2019 CSO magazine article quotes several studies describing 24-48-month tenures for most CISOs. They added details from a Kaspersky Lab study concluding that “barely half of all CISOs stay at their job for more than five years.”
This recent Forbes Technology Council article from June 2019, written by former San Diego CISO Gary Hayslip, states that the average CISO tenure is now 2.5 years. The article also claims that the average chief information officer (CIO) tenure is 4.3 years. Gary also goes on to list some tips for creating an optimal environment for CISOs to stay put.
One more source of data. This Korn Ferry Institute Survey article from 2017 stated that most other CXOs range in tenures from 4.1 up to 8+ years.
In summary, as I examined this topic in detail, the research concludes that CISOs are staying in their jobs for much less time than corporate CIOs, CFOs, CEOs or other senior executive positions. While government organizations may have different leadership titles, I have noticed many similar patterns in the public sector recently, especially when government cyber pros are NOT in defined benefit retirement plans which tend to keep baby boomer CISOs longer at the end of their careers. However, I must admit that I don’t have specific research data to back up my public-sector opinions.
So What’s the Impact of Turnover?
While the survey numbers may vary, what we know for sure is that there are numerous hidden costs to employee turnover. Here’s an excerpt from one study:
“According to a study by the Society for Human Resource Management, replacing an employee could cost you up to five times the annual salary of the now vacant position.
But the costs aren’t limited to dollars and cents. What about the losses that are not so obvious?
This excellent article from JC Gaillard in 2018 on business2community.com explains how CISO tenure is key to digital transformation. The article starts by quoting surveys stating that CISOs stay for only about two years. Next: “Nothing will change until the profile of the CISO is raised and they start to see their role over the mid to long-term.”
Pay attention to this observation as to why so many CISOs leave so fast: “It often starts with the sense that the internal situation is vastly different from what they had been ‘sold’ throughout the recruitment process; they don’t feel valued or listened to; they feel trapped in management models where many key decisions are made elsewhere without their involvement; they feel like they haven’t got adequate resources in terms of budget or staff to do what they would like to do. So they leave. Having achieved very little in practice. And in a number of cases, they leave for larger organizations or a larger pay package because of tensions on the recruitment market around those roles.
"Then, at best a caretaker manager is appointed; or worse, the role is left vacant for months until a recruitment is made internally or externally. Then someone new comes in, almost always with different views compared to their predecessors, and with the risk of seeing the same scenario repeating itself. …”
So with so much at stake, including everything from organizational digital transformation to protecting the enterprise from data breaches, want can be done?
This 2017 article entitled: The CISO Merry-Go-Round, offers eight helpful ideas that can improve CISO longevity:
This article from the IndianTimes.com offers tips on what CISOs need to focus on to stay longer term.
No doubt, all security leaders want to be successful and improve cyberdefenses, no matter how long they stay. But too many quick job changes can become a serious problem for resumes and personal reputations.
I have written many articles that are relevant for CISOs and other leaders in cyber careers, and here are a few to consider on this topic:
In the last piece about evaluating technology and security leaders, pay attention to the questions that John Maxwell has about leadership impact.
Also, notice the planning perspective from these state CISOs (from earlier this year) from Nebraska and North Carolina.
For balance, I encourage you to read this article on 11 Reasons to Stay in Your Current Job (even if You Hate It.) Here’s how it starts:
“'I hate my current job and I will leave this place!' How many times have you heard someone say that line? To some people, it’s too often. It’s unfortunate how rare it is for someone to come across another individual who loves what he/she is doing in his or her place of work. It’s more likely for you to encounter someone ranting non-stop about how 'unfair' his or her employer is and how much 'he or she wants to leave'. In fact, this person might even be YOU. …”
I know. I know. I have done little in this blog to prove to you that CISOs leaving early can cause more security data breaches or other security incidents. My gut tells me that security effectiveness is (at least partially) related to CISO longevity — so send any research my way if you have meaningful data (either way).
NO DOUBT, some CISOs must go — and the sooner the better for an organization. (If this is the case, I question an organization's hiring practices, but that is a different discussion for another day.)
Nevertheless, this topic must start getting more attention for the cybersecurity industry to improve. The bad actors are laughing all the way to the bank at all of the cyber leadership turnover in so many organizations. Some CISOs also take their teams (or best security talent) with them when they leave.
And I really like this excerpt from a CSO magazine article on CISO longevity:
"Take Andy Ellis. As Akamai's chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company's security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organization's core security strategy.
"Ellis believes that being at the same company for so long has been critical to his ability to affect change. 'I've gotten to mold this position,' Ellis says. 'As I've gone along, it's been like wearing a comfortable glove. I understand how the organization works; therefore, I can get more done.'"
Andy Ellis’ experience has also been my experience while at the state of Michigan for over 17 years as an agency CIO, enterprise CISO, CTO and CSO. You can read about that CISO/CTO/CSO journey here, but happiness, career satisfaction and impact are not just measured by money. I have also seen this same trend in numerous other state governments and private-sector entities.
But getting more personal: The key question you will ask when you look back at your time as a security leader is: “What lasting difference did your team make regarding cybersecurity under your watch?”
Bottom line: Leading any organization for two years or less is generally not enough time to build a positive legacy and improve the cyber culture. Strive to build strategic (and tactical) plans that are (at least) double that (four years or more) as a CISO.
Next, stay and deliver effective cyber results.