How CISOs respond to a major security incident can be a make-or-break moment for their career.
Although one in four security leaders find themselves replaced after a ransomware attack, for example, other CISOs are finding incident-hardened experiences — with transparent and successful outcomes — to be increasingly sought after in the hiring market.
A recent survey underscores this point, with 65% of security leaders saying that leading an incident response elevated their internal reputation, while only 5% said it hurt it.
According to Cytactic’s survey of 480 senior US cybersecurity leaders, including 165 CISOs, “a well-managed incident response demonstrates that security is a business enabler that protects revenue, brand reputation, and operational continuity in times of extreme stress. The CISO who leads a successful response elevates not just their own reputation, but the perceived value of the entire security program.”
The report added: “A well-managed incident demonstrates resilience, competence, and calm under pressure, which are highly valued by boards and CEOs.”
Repeat-CISO Michael Oberlaender experienced firsthand this internal respect boost after a successful defense.
“When I spoke up during meetings, and I raised — slightly — my voice to speak, the entire room went silent and listened. I was sometimes surprised and thought I was not clear enough in what I said and looked into people’s faces to see if they understood. Then I realized they were just carefully listening and following,” he says. “Business line leaders were more open to hear what I had to say.”
Oberlaender, who was given “full authority to sign the checks during the major crisis,” also found that Finance took his requests more seriously in the wake of his defense success, he says.
Cybersecurity consultant Brian Levine, a former federal prosecutor who serves as executive director of FormerGov and previously served as managing director for cybersecurity at EY-Parthenon, contends that a better budget position is really the only concrete improvement a CISO might expect after a successful defense, and even then not because of any new admiration for the CISO but because a large attack happened and improved defenses are needed.
For some CISOs, the issue is visibility and communication, Levine says, giving an example of an enterprise that was hit with a massive ransomware attack. Because of the excellent upfront work by the CISO’s team, nothing was lost. Everything was backed up perfectly. So why wasn’t the CISO hailed as a hero?
“He had been telling the board — and presumably his CEO — for months that his team prevents some 50,000 attacks a day. So when his team really prevents one, the board shrugs,” Levine says. CISOs “kind of normalize the idea that the company is constantly under attack. That is certainly true, but it makes it very difficult for the board to get worked up over preventing a single attack.”
In defense of defense
Moreover, this issue begs the question: Why should a security leader need to experience a major cyber incident to earn business colleagues’ respect?
Jeff Pollard, VP and principal analyst at Forrester, says this enterprise perception problem is “just part of human nature. If we don’t see the bad thing happening, we don’t appreciate all of the things that were done to prevent that bad thing from happening.”
Of course, if an attack turns into an incident and defense goes poorly, “it can easily turn from a hero moment to a scapegoat moment,” Pollard says.
Oberlaender, who now works as a cybersecurity consultant, is among those who believe hard-earned experience should be rewarded, but that’s not what he’s seeing in the market today.
Historically, “a smart company would not hire a greenhorn into the CISO seat, but a battle-tested, really and truly experienced CISO with multiple decades of experience,” Oberlaender says. “But unfortunately, in the current business climate, the opposite is happening. Companies hire cheap, inexperienced, unqualified, non-knowledgeable, and often so-called virtual CISOs for a fraction of the salary and then wonder why they have data breaches and poorly managed incidents exploding in their face.”
Meanwhile, security leaders have other avenues for fortifying their positions in the business ranks, other industry experts suggest — for example, focusing on the financial value they deliver in terms of winning and retaining customers.
CISOs “feel that they need to fight off an attack to show value, but there are many other successes they can do and show,” says Erik Avakian, technical counselor at Info-Tech Research Group. “Building KPIs is a powerful way to show their value.”
“Show [the CEO and other executives] what they are getting from these tools in terms of cost avoidance,” Avakian says, offering email spam filters as a low-level example. “Without those filters, far more emails will clog employee inboxes and that will deliver less efficiency” and productivity.
Those other executives “understand dollars and cents” and the problem is that too many CISOs “don’t bother to show the actual value in real KPIs down to those dollars and cents,” Avakian says.
Chris Jackson, a senior cybersecurity specialist with tech education vendor Pluralsight, reinforces the frustration that many enterprise CISOs feel about the lack of appropriate respect from their colleagues and bosses.
“CISOs are a lot like pro sports coaches. It doesn’t matter how well they performed during the season or how many games they won. If they don’t win the championship, it’s seen as a failure, and the coach is often the first to go,” Jackson says. “In the same way, CISOs can go 10 years without a breach, but a single incident can end their tenure. Too often, CISOs become the convenient scapegoat.”