Cybersecurity Leadership: A Business Challenge in a Tech-Centered World

Cybersecurity is a relatively young field, but businesses are embracing its importance. However, the newness of the field, along with other factors like pending legislation, a limited understanding of the field among C-level executives, and the difficulties of translating technical topics for non-technical people cause difficulties within organizations. This struggle around cybersecurity leadership is causing many businesses to be effectively moving backwards in the cybersecurity realm.

See Cybersecurity in Leadership is Broken with Richard Brinson and Rachel Briggs for a complete transcript of the Easy Prey podcast episode.

Richard Brinson is the CEO and co-founder of Savanti, a boutique cybersecurity consultancy focused on cybersecurity strategy, leadership, and running large-scale cyber transformations for large enterprises. He has over twenty years of experience in security. Starting as a self-taught ethical hacker, he moved into forensics and a few other things before working his way up the corporate ladder. For the last eight years, he has been in Chief Information Security Officer (CISO) roles for various Savanti customers.

Rachel Briggs is a leading expert on cybersecurity and an executive advisor to Savanti. She has been working with Richard and his team on thought leadership projects. The team at Savanti has many hundreds of years of combined experience working with clients on cybersecurity needs. She also draws on twenty years of her own experience in and around various areas of the security industry. Her goal is to help combine that knowledge with industry-leading research to provide a road map for the industry to improve and move forward.

Why We Need to Talk About Cybersecurity Leadership

At Savanti, Richard and Rachel have a great vantage point to see the challenges of cybersecurity leadership. They get contacted by organizations who say they have problems with cybersecurity and aren’t sure if they’re doing the right things. Then they can go in and determine what’s going well and what’s going badly. It also gives them opportunities to spot problems that are common across organizations. And one problem they saw again and again was cybersecurity leadership.

They noticed a consistently revolving door of Chief Information Security Officers (CISOs). And it’s coming from both sides. Companies are going through CISOs much more quickly than any other executive position. And individuals are switching jobs quickly. Those two phenomena might have different causes, but Richard and Rachel wanted to understand. Is there a particular reason why companies tend go through CISOs so quickly? What can an organization do to keep cybersecurity leaders and support them better? Are there things CISOs can do to be better aligned to the business and leadership?

They embarked on an extensive research project to explore what exactly was going on. They were seeing the same problems over and over again. In their research, they endeavored to document why it happened and come up with solutions to fix the problem.

Why There is So Much Churn in Cybersecurity Leadership

Calling the current struggles with cybersecurity leadership a “perfect storm” is cliché, but it sums it up well. There are six key factors affecting this high CISO turnover, and they are all converging to make it into a full-blown crisis.

Factor 1: The Threat is Increasing

Cybercriminals are always growing and rapidly evolving. The job never gets easier. In fact, it’s always getting harder. Cybercrime is increasing, and the pressure on CISOs is always growing because the threat is always growing.

Factor 2: Low Boardroom Understanding

More and more boards are taking an interest in cybersecurity. But even those that are usually don’t know how to manage the risks, what challenges are involved, and what they need from a leader. That makes it hard for them to support cybersecurity leadership.

Factor 3: Talent Scarcity

A perfect CISO would have strong knowledge and experience of technology and cybersecurity. But they would also have the business knowledge and leadership skills to operate in the C-suite. There is a distinct lack of people who have both the technology and leadership skills to perform both roles.

Cybersecurity has a supply and demand issue … there is a big lack of people who have had a career in cyber that also then have that level of business understanding and are able to take the seat around the C-suite table.

Richard Brinson

Factor 4: Spiraling Salaries

Compensation packages for CISOs are getting higher and higher. In some companies, it’s more than the CFO’s compensation package. The people who are able to be successful in a CISO role move a lot because of this. If they get a better offer and aren’t getting support in their current role, they will move to a new company.

Factor 5: The “Hero Mentality”

Within the CISO community, there is a “hero mentality.” Over half of the CISOs that Richard and Rachel spoke to in their research described themselves as “transformation CISOs.” But if everyone is transforming, who is keeping a company moving without ripping everything out and starting over? There’s very few people working towards a steady state.

Factor 6: Low Average Tenure

The average tenure of a CISO is 2.3 years. This is very short compared to other C-level executives. A Chief Information Officer’s average tenure, for example, is 4.6 years, while a CEO’s is 6.9 years. The average CIO will go through three CISOs during their tenure, and a CEO will go through four.

The Results: Instability

All these factors combine to create a lack of stability in cybersecurity leadership. While someone is leaving, someone else is getting hired, and the first nine to twelve months of being in the CISO role, there’s likely not much being accomplished. The new CISO is spending their time understanding the company, stopping some things, and starting some other things. They’re not delivering value. And with such incredible churn rates, a company is probably making progress only one year out of every three.

Cybersecurity is a rapidly-changing field. Every year brings new threats, new techniques, and new breakthroughs. If your organization is only making progress in one year in every three, it’s essentially moving backwards.

The [CISO] churn itself is causing companies to stand still in an industry which is moving really quickly, effectively going backwards.

Richard Brinson

Cybersecurity Leadership is Critical

Insurance data is probably the most comprehensive set of reliable data we have access to. And that data speaks for itself. Companies that they describe or classify as cyber experts simply have fewer breaches. When they do have breaches, they respond more rapidly and more effectively, and they’re less likely to go under as a result. Having a well-run cybersecurity function and the right person in cybersecurity leadership is extremely beneficial.

Having both the right person at the top of that [cybersecurity] function and a really well-run function pays dividends.

Rachel Briggs

Investors are starting to ask about a company’s cyber capabilities now. They know it’s a present risk for all companies. If they are going to put money in, they want to know the company knows how to manage it. Organizations that don’t have the right capabilities or don’t know how to respond can be severely impacted or even go under.

Cybersecurity is a touchstone issue. So few organizations get it right. If you are getting cybersecurity right, chances are you’re getting other things right, as well. And getting good cybersecurity leadership and processes in place isn’t just protecting yourself. Having that cybersecurity functionality is a real value add for the business.

The Costs of CISO Churn

Rapidly changing cybersecurity leadership has many costs. Most obviously, there is the financial cost. Richard and Rachel estimate it’s at least ten million dollars for a typical enterprise. That includes the cost of the CISO themselves, but also projects stopped by the CISO before they came to fruition and projects they started but didn’t start adding value before they left. Approximately 25% of the annual security budget ends up wasted.

It’s also highly destabilizing to the team. The position of Director, which is usually the next level below CISO, doesn’t see nearly as much turnover. Some directors have had three CISOs in as many years. Each of those have different priorities, can’t finish projects left from the last CISO, and make abrupt changes in direction. Unstable cybersecurity leadership is incredibly turbulent and makes the whole team less effective.

There’s also the opportunity costs. Cybersecurity doesn’t just protect your company. It demonstrates high maturity, which can attract investors. And there are lots of ways cybersecurity leadership can drive top-line revenue. They could resell security services they built internally, for example, or work with marketing to better exploit data without breaking privacy laws. A good cybersecurity team means the company can take a little more risk than they would otherwise because the protection is there.

Finally, churn is causing companies to spin their wheels. In an industry that’s moving as rapidly as cybersecurity, slow progress is essentially moving backwards. But cybercriminals are charging ahead full-force. It’s the ultimate asymmetric threat. It’s not getting easier for us, but it’s definitely getting easier for them. Without good cybersecurity leadership, you’re at risk.

You have companies that are either standing still, or spinning round in circles, or going backwards in the worst instances, but the bad guys are charging ahead full force.

Rachel Briggs

Cybersecurity Leadership and Executive Boards

There’s no question that boards are concerned about cybersecurity. Studies show that the vast majority of surveyed board members count cybersecurity as one of the top three things they’re concerned about. But they also admit that they don’t understand it, don’t know what good cybersecurity looks like, and don’t understand what they should be recruiting for in cybersecurity leadership. Due to this lack of understanding, boards often end up delegating to the CISO in ways they wouldn’t for other essential business functions.

Cybersecurity has risen very quickly into board-level discussions without having matured as a corporate discipline. That creates challenges. How is the board supposed to govern cybersecurity leadership when they’re not yet clear on how to govern cybersecurity as a discipline? The limited knowledge of many people outside of the discipline only makes it harder. It’s a completely different set of knowledge, skills, and expertise, and boards are still trying to find where it fits in.

I think what we’re dealing with is a generational transition at board level and a need amongst boards to recognize there’s a new set of skills, talents, and expertise that need to come into the boardroom in the 21^st century.

Rachel Briggs

When the Board Doesn’t Support Cybersecurity Leadership

If a CISO doesn’t have the support of the board, they generally can’t implement changes or be an effective CISO. That was one of Richard and Rachel’s findings for companies that go through CISOs quickly. They know of a company that went through four different CISOs in eighteen months. That company didn’t know what they wanted, didn’t know what they needed, and were scared of making a bad hire. Ultimately, this tells you more about the company than the CISOs who worked there. The company wasn’t ready to provide support and couldn’t create an environment where a CISO could be effective.

When a company and board aren’t ready to support the CISO, it won’t work. It will get to a point where the CISO has no budget and the board doesn’t let them change anything. When they’re not being supported and get a better offer from a different company, it’s not a hard decision for them to move on. It’s important to have the talent and have people get the skills to succeed at these roles. But it’s also important for boards to support them in using those skills.

The Challenges of Communication

Russell Reynolds Associates, a large executive search firm, thinks that the number of CISOs who are cybersecurity subject matter experts and have boardroom experience and can hold their own in a boardroom is very limited. They estimate it at less than a hundred people in the world. If every Fortune 500 company needs one and there are only a hundred, this obviously creates a talent shortage.

Richard and Rachel are looking into how to change that balance. Not every company needs a boardroom-level, top-100 CISO. But in the meantime, they want to work to bridge the gap between cybersecurity leadership and business leadership.

Some if it is a case of educating boards. But it’s also about educating the CISOs themselves. A phrase that occurred often in interviews with C-suite executives was “lost in translation.” Often, business people and cybersecurity people are essentially speaking two different languages. Boards know cybersecurity is important, but they don’t know what good cybersecurity looks like or what questions to ask to find out. Many CISOs are struggling to articulate themselves and the function of their role at board level and in a relevant way. Part of the challenge is finding a way to connect.

Training for Cybersecurity Leadership

Addressing communication problems between cybersecurity leadership and executive board leadership is essential. Many CISOs come to the position through a technical route. They may never have spent much time dealing with people who don’t work in technology before. Boardroom training and communication training for high-level cybersecurity professionals may help.

Actually addressing communication is so often overlooked – it’s something we just expect people to be good at. You actually have to be very proactive to be a good communicator.

Richard Brinson

Richard and Rachel have also seen some large enterprises use mentors. One client, a large company with over 300,000 employees, hired both a CISO and a CISO mentor. It wasn’t because their CISO was lacking, but because they wanted additional translation skills and to free up their CISO to do more. It’s easy for cybersecurity leadership to spend so much time trying to translate things to the board that they don’t have time to actually get things done. This company hired a CISO mentor to try to get some balance.

Communication training won’t solve all the problems with cybersecurity leadership, though. It is important, but so is leadership coaching, executive mentors, executive coaches, and the like. People in cybersecurity leadership positions need to learn to get outside of their own discipline, develop leadership skills, and understand other disciplines within the company.

Training for Boards

The problems in cybersecurity leadership can’t be solved just by giving the new CISO some additional training, however. It’s not just a problem for the cybersecurity leaders. It’s a broader leadership training. A proposed SEC ruling, if passed, would mandate someone with cyber expertise on every board. The danger there is that the board could abdicate responsibility.

A good board would never tell the Chief Financial Officer, “We don’t need to know what you’re doing, just make sure there aren’t any problems with the money.” But that is often what boards do with CISOs. Once they have a CISO on board, they feel like they no longer need to worry about it. It can actually result in lowered understanding, because the board may feel they don’t need to learn or remember anything related to cybersecurity because they have someone to handle that.

CISO is a relatively new position in the boardroom for many companies. There currently isn’t a general standard of what effective board governance of cybersecurity looks like. Rachel and Richard are working on creating a guide for that. But in the meantime, boards also need to learn more about cybersecurity. They don’t need to become experts, but they also can’t ignore it.

Advice for Future Cybersecurity Leadership

If you see an area of opportunity or could be in a position to take on a CISO role, you can work today to improve your skills and close some of this talent gap. Communication and leading through influence are important. These so-called “soft skills” are the hardest to master and the most critical in a business environment.

If you can’t communicate, you can’t do anything else. Learn how to communicate effectively with people who don’t do your job, have different priorities, or even have conflicting priorities. As one interview subject said, you can fight as many hackers as you want, but if you can’t communicate with the board about why cybersecurity matters, you can’t get the budget and investment you need and you can’t do your job.

Looking Forward

Finding stability in cybersecurity leadership is possible. But it will take a lot of work. We will need to understand what the right things to do are, build a new generation of leaders, educate boards, find creative ways to fill talent gaps, take a pragmatic view to risk management, develop a toolkit so everyone can speak the same language, and more. Assuming we do everything right, Richard and Rachel think it will be at least ten years, if not twenty, before the typical company reaches “good.”

Rachel also thinks that regulation could shorten the time frame. Government regulation has a tendency to provide an external jolt to the system. The pressure to get cybersecurity right is already on within companies. External regulations might quicken the pace even more.

View the first report to come from Richard and Rachel’s research data at savanti.co.uk. It is report one of four, as the study produced too much data for one report. If you have feedback about the report, want to be interviewed for their next piece, or think there’s something they should be writing about, they encourage you to get in touch! They can both be reached at savanti.co.uk, or you can reach out to Richard Brinson and Rachel Briggs individually on LinkedIn.