What the heck is wrong with CISOs? They seem stressed, angry, and frustrated … more so than usual. And what is with all the drinking? I missed RSA this year, but the stories and Twitter posts are soaked in alcohol.
I am not the only one noticing all these stressed CISOs. Here are a few recent stories:
- CISOs Have the Toughest Job in the World
- CISOs Struggle to Cope with Mounting Job Stress
- Average tenure of a CISO is just 26 months due to high stress and burnout (which cites the same report as the first item)
- I Was A CISO for Six Years — Here’s Why Burnout Is Such A Problem
I spent some time lately lurking in CISO hang outs. I heard many interesting stories. Most point to a common culprit: exhaustion. CISOs are under tremendous pressure to keep their organizations safe. There is too much to do, too little time, and too few resources. Moreover, the complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult. Exhaustion is inevitable.
However, when you peek beneath the surface, this exhaustion transforms into something worse: hopelessness. One CISO summed it up succinctly: “they blame me for everything that goes wrong.”
Yeah, I know how that feels.
Maybe this is why many CISOs get the title Chief No Officer slapped on them? Faced with hopeless odds of success, it is easier to say no than to fight to make things work. I used to think CISO that did this were weak leaders. However, the more I hear them talk, the more I think they are stuck in a WOPR.
Similar to the Kobayashi Maru no-win scenario of Star Trek fame, WOPR comes from the 1983 movie Wargames. In the movie, a “learning” mainframe computer, named WOPR, discovers that some games are mostly unwinnable such as tic-tac-toe or global thermonuclear war. The computer’s conclusion is “the only winning move is not to play.” It makes a good cold-war story. Cue a strained smile from Dabney Coleman.
This also describes the situation many CISOs are facing. Any efforts they make to improve security results in a problem and them getting blamed for it. A CISO WOPR plays out something like this:
- Company hires a new CISO
- Expectations are high
- Executives and board members expect the CISO to protect the business with absolute precision and perfection
- Other departments expect the CISO to implement security without disrupting any existing business functions
- Third party vendors expect the company to align with several intricate compliance regimens
- CISO executes a plan to improve security. The results can be summarized as follows:
CISO implements security improvements
- The controls fail, company gets hacked > CISO blamed and shamed
- The improvements work, but it causes other systems to fail > CISO blamed and shamed
- They work, security becomes routine and dull. Executives wonder why the company spends so much on security > CISO blamed and shamed
The CISO does not (or is unable to) implement security improvements
- Company hacked > CISO blamed and shamed
- Company somehow does not get hacked, executives wonder why they have a CISO and no security controls > CISO blamed and shamed
- Company fails a compliance audit > CISO blamed and shamed
- The CISO quits or is fired
- GOTO 1
No matter what a CISO does, they lose. Mistakes in security (and technology as a whole) are common. Since many CISOs rose through the ranks from technical roles not business schools or investment firms, they usually lack the skills to navigate the petty politics of organizations.
When people are stuck in situations where they feel they cannot succeed, they usually give up. Why work hard when you will be blamed for every problem, whether you caused it or not. I once witnessed a company put their entire environment at risk, because a vice-president wanted to spite the security team for using a different cloud service provider. Eventually, the CISO tired of this and left the company.
Fortunately, there are some ways to combat a WOPR situation. Here are some strategies to consider:
- Adapt Communications: Each person you interact with has a particular communication style. Spend some effort to analyze how the executives around you communicate. Adapt your style to maximize your engagements with each.
- Stay Strategic: Play the long game. Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.
- Snuff-out the Gaslighting: One-way bad leaders distract CISOs is with irrelevant questions and faulty logic. For example, they may use anecdotal reasoning, where they recite some situation from their past an expect you to replicate that when you know it will not work. Listen, show respect, placate where necessary, but stick with your plan.
- Arm Yourself with Data: When the blame starts flying, have data on your side. Data might not save you, but it is a powerful weapon against the forces of idiocy. Make sure goals, plans, and commitments are documented.
- Stay Off the Range: Security is an easy target for developers, IT, finance, HR…everybody who needs a scapegoat. Do not allow your team to be unprepared. Be on top of your goals, metrics, and plans.
- Hold Vendors and Service Providers Accountable: Do not allow the companies providing you products or services to skip out on their commitments. If a vendor promises you something, get it in writing and require them to deliver. This is how you can show strength, resolve, and discipline. Be firm, do not be a jerk.
- Battle the Bullies: You may have board members or executives who think they are security geniuses because they have money and authority. These people are often deeply insecure bullies. Keep your discussions with these people focused on threats. Talk about the competition, ransomware, hacker groups, and all the catastrophes that will unfold if security is sidelined. Bullies innately understand threat.
- See and Sell a Brighter Future: It is difficult to scapegoat a person who speaks of a brighter, better, and more prosperous future. While you may need to pound the bullies on the board with fear, spread optimism, vision, and hope elsewhere. Optimism is attractive.
While I cannot fault anybody for giving up when faced with a WOPR, you must take something from each experience that helps you in the future. You might not make a difference in every place you work, but every place you work, can make a difference for you.
However, I would urge all CISOs to hang in there. With persistence and perseverance, you can make a difference. Lastly, make sure you mentor and train others along the way. Leave your employer in a better place then when you got there. The people you mentor will support you.
Oh, and take it easy at the bar. Your firewalls may be deployed with redundancy, but you only have one liver. The replacement cost for that is well beyond your budget.