What is Wrong with CISOs?

CISOs are burned out (image source: Shutterstock)

What the heck is wrong with CISOs? They seem stressed, angry, and frustrated … more so than usual. And what is with all the drinking? I missed RSA this year, but the stories and Twitter posts are soaked in alcohol.

I am not the only one noticing all these stressed CISOs. Here are a few recent stories:

Recently, I spent time lurking in CISO hang outs. I heard many tantalizing stories. They share a common theme: exhaustion. There is too much to do, too little time, and too few resources. The complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult. The pressure to keep everything safe is enormous and the resources are limited.

However, when you dig beneath the surface, this exhaustion becomes something worse: hopelessness. One CISO summed it up succinctly:

“They blame me for everything that goes wrong.”

I know exactly how that feels.

Maybe this is why many CISOs get the title Chief No Officer slapped on them? Faced with hopeless odds of success, it is easier to say no than to fight to make things work. I used to think CISO that did this were weak leaders. However, the more I hear them talk, the more I think they are stuck in a WOPR.

The WOPR

Similar to the Kobayashi Maru no-win scenario of Star Trek fame, WOPR comes from the 1983 movie Wargames. In the movie, a “learning” mainframe computer, named WOPR, discovers that some games are mostly unwinnable such as tic-tac-toe or global thermonuclear war. The computer’s conclusion is “the only winning move is not to play.” It makes a good cold-war story. Cue a strained smile from Dabney Coleman.

Mr. McKittrick, take us to Defcon 4 (Source: Metro-Goldwyn-Mayer Studios Inc.)

This also describes the situation many CISOs are facing. Any efforts they make to improve security results in a problem and them getting blamed for it.

In speaking with CISOs, I heard this story many times. Security is volatile, unpredictable, and fraught with errors. As such, CISOs become the scapegoat for everything that goes wrong. One CISO summarized his plight:

“The company had no security scanning. So, I implemented a new vulnerability scanner that found thousands of vulnerabilities. I spent weeks organizing the data into tasks, only to endure a lashing from the ignorant CEO blaming me for slowing down development. Then a few weeks later, one of those vulnerabilities was exploited and a bunch of systems taken offline. The CEO used the next all-hands meeting to humiliate me and blame me for the attack. I logged off the call and sent him a text saying ‘I quit.’”

This was one of many similar stories. No matter what the CISO does, they lose. If they make things better, they get blamed for causing disruptions. If they do not make improvements, they get blamed for the inevitable attack.

When people are stuck in situations where they feel they cannot succeed they usually burn out and give up. After working to make things improve, and facing constant resistance, they become bitter, resentful, and say no to everything.

I once observed a vice-president of engineering spite an entire security team because they wanted to implement configuration management controls on their cloud accounts. Since this was going to expose the shoddy work this VP had allowed, he resisted and fought the CISO at every possible opportunity. Ultimately, the CISO became frustrated and left.

The Only Winning Move

CISOs stuck in a WOPR are not trapped. There are some strategies you can adopt to keep yourself and the company secure.

  • Stay Strategic: Play the long game. Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.

While I cannot fault anybody for giving up when faced with an unwinnable situation, you must take something from each experience that helps you in the future. You might not make a difference in every place you work, but every place you work, can make a difference for you.

I urge all CISOs to hang in there. With persistence and perseverance, you can make a difference. Lastly, make sure you mentor and train others along the way. Leave your employer in a better place than when you got there. The people you mentor will support you.

Oh, and take it easy at the bar. Your firewalls may be deployed with redundancy, but you only have one liver. The replacement cost for that is well beyond your budget.

Originally published at https://www.zenaciti.com on August 9, 2022 and edited a few times.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store