I know why CISOs fail. I know because over the last 20 years I’ve spoken to more than I can recall, and it’s a common and constant source of fear and frustration.
I also know because as a CISO I have also failed. And I’m not afraid to admit it. It’s all an essential part of the learning and growing process. A CISO that has not failed has not learned what it’s like to face that incredibly important test of resilience. Not to mention all the other essential lessons security failures can teach us. Lucky for me, none of my failures created any unnecessary risks or resulted in any incidents or events. You might not be so lucky.
Being a CISO is a little like being an entrepreneur. Investors much prefer it if you already have a number of failures under your belt. Not only does it mean that you have lived through the fire, survived your failures, but you’ve come out the other side a more seasoned and capable entrepreneur. Besides, investors don’t want your first failure to be on their books.
“Fail fast” has been the buzz mantra amongst Silicon Valley startups for decades. But while most organizations and CISOs focus their worries on security failures, they miss much more important failures that if they had addressed previously, those often-devastating security and privacy breaches might never have happened in the first place.
Are You Failing To Manage The Fear?
Did you know that the average tenure of a CISO is now 24 months or less? Or that the biggest cause of the rapid turnover of these critical leaders is stress? Yet every time you lose a CISO, you lose so much more.
You obviously lose that critical time searching for a replacement when you can probably least afford it. You lose that intimate and specific knowledge the CISO probably had of your organization, the team, and management. You lose any relationship you and the board might have developed and nurtured.
You lose all that time and money you invested in finding and shaping that CISO in the first place. And you might end up with a major gap in security as you try to fill that leadership role when there are few capable seasoned CISOs even interested or available.
And much of that stress either comes from or is exacerbated by a poor or non-existent relationship between the board and CISO. A good board relationship on its own could significantly extend the shelf life and tenure of your security leader.
Are You Failing To Manage The Communications And Relationship?
In a recent interview with CSO Magazine, Kris Lovejoy, the global cybersecurity leader at EY put it about as best as I’ve heard recently “When the board trusts the CISO, the CISO can do better, move quicker, act in the way they need to and get the funds they need. That’s critical, because cybersecurity risk is so dynamic. It requires CISOs to adjust the strategy and operating model very quickly. And if the CISO doesn’t have the support of management and the board, he or she can’t do their job.”
Like any business or personal relationship, that trust has to be built over time, managed and protected, and only achieved through real, personal, and transparent face time.
The rapidly changing, constantly evolving, and highly technical world of cybersecurity has forced most CISOs to remain as technical risk managers, and without the luxury of being business risk managers. It’s time for a sea change. If we can’t teach boards and CISOs to speak each other’s language fluently and seamlessly, the next best thing is a seasoned translator fluent in both.
If you’re a CISO wondering how best to engage your board, think about these well-tested suggestions:
- Always speak in business and risk management terms, not technical, security, or metrics.
- Develop individual relationships and board allies who can act as supporters, intermediaries, or translators.
- Keep in constant contact with as many board members as often as possible, and not once-a-year presentations.
- Understand what the board wants and is focused on and what their risk priorities and tolerance are. And we watchful for any subtle changes to their priorities.
- Learn to speak their language rather than try to teach them yours. And especially focusing on what might be said between the lines.
- Always search for common ground where security goals and expectations can be best aligned with business goals and expectations. In other words, show how clearly intertwined they are.