freshidea - Fotolia

CISO careers: Several factors propel high turnover

The average CISO tenure is approximately 24 to 48 months. Kudelski Security's John Hellickson discusses factors driving the high turnover rate and how to improve job satisfaction.

The CISO role is evolving, but a high turnover rate among security leaders continues to bug the cybersecurity industry. A recent Enterprise Strategy Group-Information Systems Security Association study found several reasons for the trend, including CISOs being tempted by higher compensation packages, organizations not having a culture that emphasizes cybersecurity and CISOs not having an active voice among executive management or the board.

The CISO reporting structure and the lack of a comprehensive cybersecurity program are also key factors driving this high turnover associated with CISO careers, according to John Hellickson, managing director of global strategy and governance at Kudelski Security.

In this Q&A, Hellickson explains why CISOs need to be more business-minded and how having a mentor can help drive career growth. He also highlights the core attributes of a successful CISO and the top challenges that confront CISO careers.

Editor's note: The following transcript has been edited for clarity and length.

When it comes to CISO careers, what factors are behind the high turnover?

John Hellickson: I believe there are many unique factors that play a major role in high CISO turnover. One of the largest factors is company culture. When CISOs interview for their next job, a key element they want to validate is whether or not the 'tone from the top' truly demonstrates that cybersecurity is a top risk and focus for the company. Many times, organizations say cybersecurity is of top priority, but as the CISO attempts to drive improvements, they soon find out that the support is not really there when tough investment or prioritization decisions need to be made.

John HellicksonJohn Hellickson

Another related factor is the reporting structure of the CISO, and his or her associated authority level. If the role is buried within the IT organization, it will be hard to make a positive difference on those security responsibilities that extend beyond IT. If it's a position that reports directly to the CEO, which is rare, one can be reasonably assured that security is taken seriously at the organization.

The lack of a comprehensive cybersecurity program and demonstrating progress in the most needed areas is a key factor for high attrition. If the CISOs aren't demonstrating that their investments and controls are having a positive impact on the organization, their requests for larger budgets or reprioritization of business priorities become more challenging as the years progress, making another job opportunity more enticing.

And when it comes to other job opportunities, having the CISO title is a prestigious position, and when recruiters reach out with ever-increasing compensation packages, it's hard for CISOs to not at least hear the recruiter out.

Other factors that contribute to this high turnover are: being too technically focused, a lack of business acumen and/or tact, inexperience in leadership, an inability to influence others across the business, or even just the stress from thinking of when that next breach may occur.

A CISO's role today is primarily risk management, where they are more of an advisor and strategist, while being technologist behind the scenes.
John Hellicksonmanaging director of global strategy and governance, Kudelski Security

What are the key attributes of a successful CISO? Can mentors help guide CISO careers?

Hellickson: A successful CISO engages with the business. A CISO's role today is primarily risk management, where they are more of an advisor and strategist, while being technologist behind the scenes. Establishing a security risk steering committee with other C-suite members is one of several effective ways to engage with business leaders.

The old ways of instilling fear, uncertainty and doubt to drive support for additional budget and large projects are long gone. The CISO should be perceived as a business partner, adaptable to the business changes and threats, a team player, and have a continuous improvement mindset across people, process and sometimes technology needs.

Additionally, the CISO should be focused on self-improvement -- a coach and/or mentor are essential to becoming a very effective senior leader. Athletes at the highest levels always have a coach, often many coaches, from experts in their sport to nutritionists that keep them as healthy as possible. Why shouldn't CISOs? The CISO has one of the most challenging roles and should have both a senior business leader and an industry peer as mentors and, if the organization supports it, an executive coach to improve their leadership and organizational influence skill set.

What are the top challenges associated with CISO careers?

Hellickson: One top challenge is the ability for the CISO to demonstrate to the board that they are the right person for the role. In order to do this, the CISO needs to be able to effectively manage cybersecurity risk across the enterprise and work well with and be respected across the executive team. He should be able to relate cybersecurity to business objectives, instill confidence in a security program grounded by a cybersecurity framework while maintaining regulatory compliance. The ability to deliver upon stated roadmaps, maintaining regular discussions with board members to keep them abreast of threats and risks, while at the same time having enough technical savviness to ensure the right controls are implemented, are also important.

From a people and technology perspective, getting ahead of and supporting cloud adoption and recognizing the new skill sets required to successfully make this transition is important. On the technical side, they should keep up with disruptive technologies such as IoT, AI, and automation and orchestration, to name a few.

Convincing executive management that the organization needs to spend even more on security technologies when we've been investing heavily in this area for the last six to eight years is going to continue to be a challenge as well.

Dig Deeper on Risk management and governance