“How long does an average CISO last in a job? What is a common factor causing a CISO to quit?”
In the first episode of the Sekuro Talkshow, Sekuro Chief Growth Officer Shamane Tan had a conversation with three Asia-Pacific (APAC) Chief Information Security Officers (CISOs) to find out the common challenges experienced by CISOs and the reasons why they quit. The three CISOs also shared their thoughts on what companies can do to better support their CISOs as their job scope continues to evolve. Joining Shamane on the show were Phoram Mehta, APAC CISO at PayPal; Andre Shori, APAC CISO at Schneider Electric; and Serge Christiaans, former APAC CISO at Moët Hennessy.
Average tenure of modern CISOs
Curious how long CISOs stay in their role on average? Shamane found out what the APAC CISOs thought the average duration was. Phoram provided the most optimistic estimate of between three to four years, while Andre quoted the tenure of 26 months from a previous study. Although Serge did not settle for an estimate, he noted the shift over the past two years, and looks forward to further studies on the new normal in the future for CISO tenures.
Common reasons why CISOs quit
When asked about the common reasons that caused CISOs to quit, stress was a factor that was brought up. From the stress levels of the job to the way CISOs handled stress, it seemed inevitable that continuing in this role became challenging when stress was not well managed. Other reasons cited include the misalignment of views with the senior leadership team, as well as at a larger scale, the culture of the company.
How CISOs can adapt and stay
With problems, come solutions, and with stress being a factor, we wondered if there were lifestyle or work behavior adjustments that CISOs could make in order to remain fulfilled in their role and remain in it, especially since they are human just like everyone else. A point brought up by all three CISOs was the increased scope of responsibilities of modern CISOs, which then equated to higher expectations on them.
Andre highlighted the common challenges faced in this position.
Citing this as another risk to be managed, what this meant for CISOs was that preventing breaches no longer remained their only focus, but they were also expected to fully understand what their company does, from a business perspective. In some cases, customer engagement was also one of the new areas CISOs had to take care of.
“Try to get your life balanced if there is a lot of stress, and learn how to say no…” was what Serge suggested and Shamane agreed on – something simple but yet not as straightforward.
Having work-life balance meant that burnout was less likely. This is no solo effort however, as it would require having the appropriate delegation, resources, and leaning on both the senior management, as well as immediate teams. In essence, corporate success is a team effort.
With the numerous technological advancements over the years, there is a lack of adequately skilled people and sufficiently diverse ways of attracting and retaining talents. “Overall, accept that you can’t control everything, start becoming a business enabler, and continue taking care of your team like your job actually depends on them,” Phoram pointed out.
Cybersecurity is a 24-7 by 365 (days) job, so you never completely disengage or disconnect. Not only are we expected to be a deep tech subject matter expert, we now have to talk business strategies and be aligned with it.
How organisations can support their CISOs
With the important roles that modern-day CISOs play in their companies, it is just as crucial that their own organisations provide them with the support needed. CISOs who are backed by their companies are able to execute their tasks more effectively and also look after their own mental health. What are some ways organisations can help provide that support for their CISOs so they can execute their strategic moves more effectively?
Since CISOs are highly valuable, finding a good one can be a daunting task. Furthermore, with frustration being repeatedly cited as a reason for CISOs leaving, companies should do more to support their CISOs while providing them with more space. Not only should companies provide all the tools needed to do the job, but they should also ideally have a leadership team supporting the CISO. That way, the leadership team becomes an extra pillar of support, and not a new battle for the CISO to fight.
Sharing some advice with new CISOs who have been offered this position, Andre stressed the importance of understanding the cybersecurity culture they will be stepping into. In addition, factors such as the company’s security appetite, expectations of this role, and support available should also be considered. More importantly, it was also critical that new CISOs understood who they were reporting to – is it the board of directors, or the CEO directly?
“I think I will just summarise everything my colleagues have mentioned. There are three things that the company can do – culture, compensation, and community.” Phoram summarised as he elaborated why companies should hire people who fit the culture, compensate CISOs fairly for the value proposition they bring to the company, and have them adapt to changes and mistakes quickly.
Conclusion
Overall, all three APAC CISOs who shared their views in this episode of the Sekuro Talkshow raised some similar thoughts and suggestions on the challenges of modern CISOs, and how their companies can support them. As the role of a CISO is so essential and crucial, it is challenging to manage it alone.
A big thank you to all three APAC CISOs for joining us in this episode!
Shamane Tan
Chief Growth Officer, Sekuro
Shamane Tan is one of the most established women in the fields of technology and cyber security. As the Chief Growth Officer at Privasec and Sekuro, she is responsible for leading the security outreach strategy with the C-Suite and executives. Recognised by IFSEC as one of the global top 20 cybersecurity influencers, the ‘Cyber Risk Leaders’ author was also recently listed in the 40 under 40 Most Influential Asian-Australians and Top 30 Women in Security ASEAN Region 2021. A TEDx speaker and podcaster, Shamane is also the Founder of Cyber Risk Meetup, an international community and platform for cyber risk executives to exchange learnings.
More Articles
Facing post-tech stack consolidation blues head on
Selling the Strategic Imperative of Zero Trust to Your Board
