A new CISO for a casino property told me recently that they came into an absolute mess of an environment with cybersecurity risk that was "off the charts" and "unmanageable". While it is very tempting to come into a new company and be the superhero to fix many of the issues right away, this may look good in the C-Suite as it defines who you are in your first 90 days. [See also: Chief Information Security Officer salary, job description and reporting line]
All the indicators would show how a lot of work needs to be performed on short order and you would want to show leadership, motivation, and be known for being the person that "gets things done". No CISO wants to be perceived as the last CISO that most likely did not work out or burned many bridges within the company.
While it may be tempting to rollout new tools, patching, programs, teams, monitoring, end-to-end encryption, etc. these would be great ideas and intentions, but may end up with the CISO getting kicked out the door within one year.
Why? When a CISO shows up, it is important to remember you will be viewed as the "IRS" or the person that will be telling everybody what they are doing wrong in their jobs. This is a harsh image of the CISO, but perception is reality.
Not many people like or enjoy working with the IRS because they know that since you are a CISO, you are there to tell everybody how they are doing everything wrong, a feeling as if you are calling everybody's baby ugly because you are finding vulnerabilities and problems everywhere.
In addition, the CISO is another step with overall business processes for approvals across the enterprise. The CISO can be seen as the gatekeeper to making key decisions, even though we would prefer to see ourselves as business enablers and protecting the companies' data assets. The perceptions of CISOs in general is absolutely horrible by other business executives.
If you do not throttle yourself as the CISO, it is highly likely your career within your company will be in jeopardy. It can be very misleading believing that as a CISO, you came in to perform all the duties as assigned by the executive leadership team, but failed to recognise that the rest of the company will experience "cybersecurity exhaustion".
Cybersecurity exhaustion is very much like a hangover after a fun night of partying. For the first nine months on the job as a CISO, everyone will be pleased with your ambition, progress, and making the company more secure, but it is important to remember the party does not last forever and if you party too hard, everyone will wake up with a bad hangover. As a new CISO, it is great to have the visibility and the spotlight on you, but people will get tired of you and will seek ways to derail your efforts. While this may sound sadistic, this is the unfortunate behaviour and way of life in a company. People get tired of the superstar of a party.
When we become a CISO, we all know better to operate at the speed of the company, not operate like a racehorse for which I did in my first CISO job. I will admit, I was taken by cybersecurity adrenaline to put in an insane amount of hours to do whatever it takes to protect my past employer that ended up being my demise. While I exhibited a loyalist and high work ethic, I let the adrenaline of the cybersecurity issues get the best of me as I operated faster than all of the other executives, because I wanted to protect the company. I was fearful of a cybersecurity breach on my watch and this was totally about individual pride and ego.
Earlier in my career, I made this mistake myself without realising until it was too late. For instance, I was the first CISO for a $2 billion holding company that was in dismal condition and under horrible IT leadership. I came in to be the new IT director for our business and functioned as the companies first CISO for five business units for a shared services IT model. I rebuilt the IT shop I was in charge of, kicked major butt by fixing problems and issues, turned the place around, built IT and cybersecurity programs, became compliant for SOX and PCI, improved reliability and up-time, reduced cyber risk, implemented layers of security, etc. to only be shown the door within one year.
I learned the hard way that I pushed too aggressively and people became "exhausted" with my endeavors. We all know that we have to moderate ourselves in our jobs, but with cybersecurity it is different.
CISOs have a less desirable position in a company compared to a VP of marketing for instance. The VP of marketing gets to do the fun sexy work of promoting the company and being creative and the CISO gets to be the person that is viewed as the company "police officer". Everybody wants a police officer when they need one, but when they don't, they want you gone. This is the life of a CISO regardless of how gregarious or likable you may be. Being a CISO is a very difficult position in a company and can be viewed as a "thankless" position.
While this advice may sound like typical "cookie cutter" leadership that is playing the "safe card," it actually isn't. I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions.
Bottom line, go at the pace your company would like to see; don't tire out your company to a point where the other executives experience your "cybersecurity exhaustion."
Happy survival in the C-Suite.