Chapter 12. A Note to CISOs

Many CISOs aren’t successful in their jobs. Few last very long, and those that do usually simply survive rather than thrive. If you read the industry trade news, the average tenure of a CISO is just a little over two years. Year 1 is a grace period. Year 2 is a bilateral epiphany between the company and yourself that you’re not the right person for the job. Year 3, the company is in discussions about how to replace you, while you’re updating your resume and searching for a new position. Sound familiar? I see and hear about it all the time.

Time and again, I’ve seen CISOs pushed out of their jobs because of their approach to security or because they were overly insular and territorial about their work. I’ve been consistently amazed at the number of security professionals who are well intended in their approach but completely misguided or misaligned with their organizations. They’re aliens to the company’s culture, spending their time trying to move the company in a direction it doesn’t want to go, all in the name of security. Despite all their good intentions, they view themselves as martyrs, believing they’re fighting the right fight, while what they’re actually doing is wasting their time and their employer’s resources.

Is there a secret to thriving and not just surviving as a CISO or security leader? I believe so. Regardless of your tenure, you can apply the concepts of my seven-step process and improve your team’s approach to InfoSec while strengthening ...

Get The Cybersecurity Manager's Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.