Today’s Chief Information Security Officer (CISO) leads an increasingly precarious life.Since the emergence of the job title in the late 1990s, the CISO job has become more complex – and demanding – by the day.
Whereas once this was a technical job focused largely on fixing firewalls and patching vulnerabilities, today’s security chiefs are expected to do this and a whole lot more. They’re charged with juggling the day-to-day operations of their security team with meeting board expectations while also staying abreast of an ever-evolving threat landscape and regular regulatory changes.
As a result, it could be argued that the CISO job is a poisoned chalice: the job is well-paid, respected and increasingly available to people of all backgrounds (thanks to the well-publicized InfoSec skills shortage), and yet the average job can last 18 months or less. A CISO could be dismissed for any number of things, from a breach or missed vulnerability to failing to align security operations with the board’s business goals.
One former head of InfoSec spoke of the challenge facing security heads in thriving – and even surviving – in their job.
“CISOs have an incredibly difficult job in that they are responsible for something they can never provide 100 percent assurance on, i.e. securing the enterprise. All it takes is one missed vulnerability, one insider or one accidental “insecure” process.
“They are invaluable when they fully understand this and can properly manage the associated expectations. The problem is that this requires not only the complete understanding of how to properly manage short- and long-term projects, completing at scale and against budget, but also the technical knowledge and security understanding to ensure the right priorities are being addressed.
“The role is almost a unicorn – technical, but with people skills. Executive-level, but with project management capabilities. Laser-focused prioritization but with broad overview knowledge and understanding.”
Given this, and the constant speculation over how CISOs come to be dismissed,CSO Online interviewed three fired CISOs, a firing CIO and a host of other InfoSec experts to find out why CISOs get fired, where they end up…and how others reading this can avoid the same feat.
Data breaches today make headlines and – in the InfoSec community – this often results in a lot of discussion around the position of the CISO and his or her security team. Both journalists and security vendor marketing teams are quick to warn what could happen after that ‘if not when’ data breach.
And yet, for all of this, CISO sackings are almost unheard of in the media.
Data breach notification laws in the United States (and soon in Europe, with the General Data Protection Regulation) give you a record of what firms gets breached, and you can make a guess as to what happened to the security chief. However, to date most CISO dismissal stories in the press are the weird and wacky, or the very high-profile.
JPMorgan’s CSO Jim Cummings was re-assigned a year after a breach which saw 83 million records compromised on the back of a social engineering campaign. The bank’s CISO Greg Rattray was asked to leave his position and take up the global cyber partnerships and government strategy.
But these are rare examples and more often than not it’s the senior business executives that take the fall. 40 million credit card details lost (and over 100 million data records compromised) saw Target lose its CIO and CEO after its breach in late 2013 (although the retailer did appoint its first CISO), while the 2007 breach at apparel retailer TJX saw a director and senior vice president jump ship. In the UK,TalkTalk’s Dido Harding hung onto her job after last year’s breach which saw 157,000 records compromised, including the financial details of 15,000 customers.
While this may surprise some, it could be argued that this comes down to accountability, reporting lines and security maturity. For example, if the CISO reports to IT, the CIO could take the fall, while other stakeholders might push board members to leave the sinking ship.
Brian Honan, managing director of BH Consulting, says that it’s also hard to gauge of a CISO has been fired – or simply found another job.
“CISOs move so much today it is hard to know if they jumped or [if] they were pushed – especially in the absence of any public information on breaches.”
There may be no record of CISOs being given the boot but – in my discussions with a number of CISOs, CIO and other InfoSec experts – it is clear that this happens on a fairly regular basis.
CISOs could depart for their organization suffering a damaging breach, but could leave too in the event of failing to spot or report a bug, poor purchasing decisions or because of disagreements with senior management.
One head of information governance, previously working in the US media sector, tells me that there were two occasions she saw her CISO asked to leave. Both dismissals, she said, “mostly centered about [an] inability to address risk to a satisfactory state and in an economical manner.”
Other sources, speaking to me anonymously, recall occasions where their firm’s CISO was dismissed for poor reporting, exceeding their budget, not following business strategies or even spreading FUD (Fear, Uncertainty and Doubt) – rather than delivering practical solutions to these same problems. It was, as one CIO remarked, a case of the CISO “talking the talk, but not walking the walk.”
A UK-based penetration tester recalls another example where a fellow pen tester found various flaws in a client’s IT infrastructure (allowing him to remotely take over the web server) and reported these to the CISO, who promised him £4,000 in return for disclosing the vulnerability.
Two months on however, and with no payment received, the pen test outfit contacted the firm’s CEO. This action had dire consequences for the CISO.
“About two months of calls, nothing. The testing company were pretty annoyed at being ignored. They reached out to the CEO, to give them a mouthful and he was a really sound guy.
“He apologized, told them they couldn’t take them on due to prior contracts, paid them, and sacked the guy (the CISO) on the spot as he hadn’t reported the findings to his seniors.”
However, while it’s perhaps unsurprising that clashes with senior management are often cited for CISO departures, the long-held view that they should be fired for a breach remains contentious.
SANS Institute’s Eric Cole touched on this recently on Twitter: “Let’s clear the air, having a compromise is not a bad thing; If a CISO is negligent they should be fired, but not because a compromise occurs.”
This, clearly, is up for debate. A December 2014 study from NTT Com Security revealed that senior execs thought information security was, in layman’s term, ‘someone’s else’s problem’, while a Raytheon study revealed that 70 percent of security pros at the eCrime Congress in London thought that CEOs should take the blame. Only 13 percent of those polled thought it should be the CISO.
Two CISOs who were dismissed described the experience of being fired, and the lessons they learned.
One CISO, who previously worked in the UK financial services sector, says that his dismissal was ultimately came down to “a difference of opinion” between him and the CIO.
“The information security budget was part of the overall IT budget, and the CIO had to make cost reductions. While information security still had to show savings in the budget, this increased risk in certain areas.”
He continued that, having explained the potential damages to senior management, the CIO took a nasty turn. “The CIO did not like this, although agreed that the business should be responsible, which was a case of do as I say not as I do.”
He says that he felt he handled the departure well, but believes he learned a lot from the experience. “It is best not to report directly into technology, and have your budget controlled by the CIO, who is under pressure to show aggressive costs savings. Also businesses leaders do not like to hear the truth or have transparency, even if they publicly state that.”
Unfortunately, this tale is similar elsewhere. A head of infosec at a managed service provider also cites difficulties with the IT team, with this eventually paving the way for his own exit.
“The IT director constantly ignored the advice of information security, thought that he knew better, and while telling the board that we should improve, undermined my position by telling my peers to let me fail, as he just did not like what I did.
“This resulted in a complaint to HR against my director, for conduct unbecoming a director and also a breach of our corporate ethics policy. HR brushed it under the carpet. A month before my two-year employment period, where employment law would have protected me with unfair dismissal, I was dismissed.”
Another CISO, working in the US pharmaceutical industry, explained why he resigned after blowing the whistle on insider fraud following an M&A.
“There was a merger and acquisition with another bigger US company with a global reach, as this was a publicly traded business we had Sarbanes Oxley and SEC compliance which fell under my remit, as the parent organization’s information security function was less mature than ours.
“There were a number of financial irregularities throughout the year, and while carrying out some analysis on data loss prevention, came across what looked like fraud and insider trading. One of these was a regional CFO, who I got on well with.
“The information was not conclusive, and after debating with myself for a week what to do, I passed on the information in confidence to the new CEO in accordance with our own policies (ethics, and whistleblowing). The CEO then forwarded on my confidential email to the person I reported asking what was going on, in which I straightaway received retaliatory action against me.
He resigned the day after, but four months later the company filed for bankruptcy, and later last year the old CEO and CFO were investigated by the SEC.
So, how do CISOs avoid getting the chop? Here are three tips:
All rights reserved 2022