What is Wrong with CISOs?
What the heck is wrong with CISOs? They seem stressed, angry, and frustrated … more so than usual. And what is with all the drinking? I missed RSA this year, but the stories and Twitter posts are soaked in alcohol.
I am not the only one noticing all these stressed CISOs. Here are a few recent stories:
- CISOs Have the Toughest Job in the World
- CISOs Struggle to Cope with Mounting Job Stress
- Average tenure of a CISO is just 26 months due to high stress and burnout (which cites the same report as the first item)
- I Was A CISO for Six Years — Here’s Why Burnout Is Such A Problem
Recently, I spent time lurking in CISO hang outs. I heard many tantalizing stories. They share a common theme: exhaustion. There is too much to do, too little time, and too few resources. The complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult. The pressure to keep everything safe is enormous and the resources are limited.
However, when you dig beneath the surface, this exhaustion becomes something worse: hopelessness. One CISO summed it up succinctly:
“They blame me for everything that goes wrong.”
I know exactly how that feels.
Maybe this is why many CISOs get the title Chief No Officer slapped on them? Faced with hopeless odds of success, it is easier to say no than to fight to make things work. I used to think CISO that did this were weak leaders. However, the more I hear them talk, the more I think they are stuck in a WOPR.
Similar to the Kobayashi Maru no-win scenario of Star Trek fame, WOPR comes from the 1983 movie Wargames. In the movie, a “learning” mainframe computer, named WOPR, discovers that some games are mostly unwinnable such as tic-tac-toe or global thermonuclear war. The computer’s conclusion is “the only winning move is not to play.” It makes a good cold-war story. Cue a strained smile from Dabney Coleman.
This also describes the situation many CISOs are facing. Any efforts they make to improve security results in a problem and them getting blamed for it.
In speaking with CISOs, I heard this story many times. Security is volatile, unpredictable, and fraught with errors. As such, CISOs become the scapegoat for everything that goes wrong. One CISO summarized his plight:
“The company had no security scanning. So, I implemented a new vulnerability scanner that found thousands of vulnerabilities. I spent weeks organizing the data into tasks, only to endure a lashing from the ignorant CEO blaming me for slowing down development. Then a few weeks later, one of those vulnerabilities was exploited and a bunch of systems taken offline. The CEO used the next all-hands meeting to humiliate me and blame me for the attack. I logged off the call and sent him a text saying ‘I quit.’”
This was one of many similar stories. No matter what the CISO does, they lose. If they make things better, they get blamed for causing disruptions. If they do not make improvements, they get blamed for the inevitable attack.
When people are stuck in situations where they feel they cannot succeed they usually burn out and give up. After working to make things improve, and facing constant resistance, they become bitter, resentful, and say no to everything.
I once observed a vice-president of engineering spite an entire security team because they wanted to implement configuration management controls on their cloud accounts. Since this was going to expose the shoddy work this VP had allowed, he resisted and fought the CISO at every possible opportunity. Ultimately, the CISO became frustrated and left.
The Only Winning Move
CISOs stuck in a WOPR are not trapped. There are some strategies you can adopt to keep yourself and the company secure.
- Stay Strategic: Play the long game. Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.
- Adapt Communications: Spend some effort to analyze how the executives around you communicate. Adapt your style to maximize your engagements with each.
- Snuff-out the Gaslighting: One-way bad leaders distract CISOs is with irrelevant questions and faulty logic. For example, they may use anecdotal reasoning, where they recite some situation from their past an expect you to replicate that when you know it will not work. Listen, show respect, placate where necessary, but stick with your plan.
- Just Do It: While I am hesitant to invoke Nike slogans for information security, sometimes it is the only way to get security done. Stop talking, do. This is a risky act. It may backfire on you, but somebody has to do something. Might as well be you.
- Arm Yourself with Data: When the blame starts flying, have data on your side. Data might not save you, but it is a powerful weapon against the forces of idiocy. Make sure goals, plans, and commitments are documented.
- Stay Off the Range: Security is an easy target for developers, IT, finance, HR…everybody who needs a scapegoat. Do not allow your team to be unprepared. Be on top of your goals, metrics, and plans.
- Hold Vendors and Service Providers Accountable: Do not allow the companies providing you products or services to skip out on their commitments. If a vendor promises you something, get it in writing and require them to deliver. This is how you can show strength, resolve, and discipline. Be firm, do not be a jerk.
- Battle the Bullies: You may have board members or executives who think they are security experts because they have money and authority. Keep your discussions with these people focused on threats. Talk about the competition, ransomware, hacker groups, and all the catastrophes that will unfold if security is sidelined. Bullies innately understand threat.
- See and Sell a Brighter Future: It is difficult to scapegoat a person who speaks of a brighter, better, and more prosperous future. While you may need to pound the bullies on the board with fear, spread optimism, vision, and hope elsewhere. Optimism is attractive.
While I cannot fault anybody for giving up when faced with an unwinnable situation, you must take something from each experience that helps you in the future. You might not make a difference in every place you work, but every place you work, can make a difference for you.
I urge all CISOs to hang in there. With persistence and perseverance, you can make a difference. Lastly, make sure you mentor and train others along the way. Leave your employer in a better place than when you got there. The people you mentor will support you.
Oh, and take it easy at the bar. Your firewalls may be deployed with redundancy, but you only have one liver. The replacement cost for that is well beyond your budget.
Originally published at https://www.zenaciti.com on August 9, 2022 and edited a few times.