cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Today a CISO, Tomorrow an Admin

Recent studies show that security breaches are costing CISOs their job - on average 6% are shown the door. Lots of these are high profile incidents: 

 

1. Capital One (100 million records)
2. Equifax (143 million records)
3. Uber (57 million records)
4. Facebook (Cambridge Analytica scandal)
5. Target (40 million)
6. JP Morgan (83 million)

 

While an incident might leave some CISOs fearing for their jobs, the opposite may be true and that an incident may have benefits to both their career and personal health. Incidents can be a learning experience. Do you think that your Board of Directors would accept that? Let's discuss.

15 Replies
Steve-Wilme
Advocate II

Firstly, it depends if it happens at your organisation or not.  There will always be a few unlucky individuals who fall foul of the realisation that an incident could happen here too and rather than make the investments to reduce the likelihood an impact of that, the board just fire the CISO, even in instances where an organisation hasn't experienced a breach.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Flyslinger2
Community Champion

Personally, I would rate the CISO as a more volatile position then CEO.  It should also pay more.  Think whats at stake.  

I don't ever see a situation where a stock based public company would retain a CISO after a huge breech.  There would be too much public scrutiny and outcry.

JKWiniger
Community Champion

@Flyslinger2 The CEO is a much more visible position than the CISO, so the CISO can probably be replace more easily. Replacing the CEO raises question about what will the new direction of the business be.

 

John-

JKWiniger
Community Champion

It's a complicated situation. Many questions come up, is the CISO allowed to do what is needed by the powers above? And I say powers above because it has not yet become standard for the CISO to report to the board so the CIO or CTO could be a barrier depending on the org structure. But then if the CISO is given what is needed do they know what to do with it and how to properly secure things? Many of these breaches have come from a simple lack of updates and poor policy. If your company get compromised by a password spray attack and you don't have a policy passwords then as a CISO you might need to find another line of work. If the low hanging fruit is not taken care of...

 

John-

Steve-Wilme
Advocate II

In many companies the CISO is the fall guy.  The one paid to be fired when there is a breach.  But otherwise not given the resources to make a real difference.  And if they do spend big and there's still a breach then they're sure to go.  CISOs are too easily seen as over promising and under delivering. 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

I think it comes down to the situation. If the CISO was negligent and was not able to increase security to prevent the breach (i.e unpatched systems, outdated policies that left systems weaker or unprotected, creating divisions between security and IT, etc.) then they should be let go. 

 

If the CISO implemented policies/procedures/processes that lead to the detection of the breach, then they should retain their position.

 

I think honeymoon periods also have an effect. A CISO with less than a year in the position may not have been able to change enough things to prevent the breach. Someone who was with the company a long time and should have been able to make it more secure, then they should go.

 

Sometimes people are let go due to clashing personalities, line of responsibility changes (i.e.going from not under the CIO to back under the CIO), or sometimes just a personality fit. Also, since CISO's are usually paid big salaries it seems to go with the territory. By the virtue of earning a large salary you are expected to be able to effect change and improve security. You are also expected to take the good with the bad.

 

It is also very easy to be the "fall-guy" or person who gets thrown under the bus when a breech happens. It is easy for the CEO or other high ranking company official just to point the finger at the CISO and publicly state that they have gotten rid of the problem and the search has begun to find someone who "will ensure that this type of thing doesn't happen again." Until the next breach. Luckily for the incoming CISO, lots of money will be thrown at them and they will (usually) have tremendous upper management support, plus after the company hires a 3rd party company to come in and do forensics on the breach, they will have a blueprint of what and how to fix the problems that got the previous CISO fired.  Seems like this is the CISO position you should aim for! LOL!

rslade
Influencer II

> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
[T]here was nothing illegal about [the Psychic Network], provided
that the ads hawking it clearly acknowledge, in the finest of
print, that the entire enterprise is `for entertainment only.'
Such logic is interesting, as it apparently means that I could
label the proprietors of such services as charlatans, bunko
artists and general rat finks without fear of legal action, as
long as I included the disclaimer that my comments were for
entertainment only ... - Steve Mirsky
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CISOScott
Community Champion


@rslade wrote:
> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...


I try so hard not to be average, yet here I am being average. I guess I should start looking for my next gig........

AppDefects
Community Champion


@CISOScott wrote:

@rslade wrote:
> AppDefects (Community Champion) posted a new topic in Career on 02-23-2020 02:40

> Recent studies show that security breaches are costing CISOs their job - on
> average 6% are shown the door.

Since CISOs only last an (industry) average of two years, I'd say those figures
demonstrate that security breaches have *nothing* to do with your tenure on the
job ...


I try so hard not to be average, yet here I am being average. I guess I should start looking for my next gig........


CISOs are an endangered species. How can we help change the public's perception? If we don't then they will be forced to play musical chairs. If data breaches are not to blame then what is? Why should CISOs take the fall if they are only servants to the CIOs?