Average Tenure of a CISO is Just 26 Months Due To High Stress and Burnout

Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress. From a report: Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment. The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies. [...] The survey's results paint a gloomy picture about one of today's most in-demand jobs. According to the numbers: 88% of CISOs reported being "moderately or tremendously stressed." 48% of CISOs said work stress has had a detrimental impact on their mental health. 40% of CISOs said that their stress levels had affected their relationships with their partners or children. 32% said that their job stress levels had repercussions on their marriage or romantic relationships.

Alternate headline: CISO quit after getting

[0100010001010011]

nowhere with management.

"Hey we should do X, Y, Z."

CXO: "Will it bring us profit?

"No, but it'll prevent us from becoming the next equifax."

CXO: "Yeah, but nothing bad happened to them...."

CISO: "Why did you bother to hire me, fuck this industry..."

Re: Goes both ways

[Firedog]

Condoms on all the cables.

Re:Alternate headline: CISO quit after getting

[Tom]

You're doing that wrong.

The correct answer is "yes, it will bring us profit. By reducing our losses to incidents, and by allowing us to manage our risks better, which means we can reduce the reserves we put aside for handling them and free up cash for profitable investments."

Also, don't pick Equifax as the example. In my country, an industry leader was down for two weeks - factories stopped, no production, losses in the double-digit millions. It's not a high-profile case because industry and not consumer and journalists didn't jump on it, but it's a brilliant example (can't drop the name, we were involved in the cleanup process).

Pick your fights better, and understand that communicating to management is a major part of your job, so train it, refine it, and do it right. You'll save yourselves tons of headaches.

Re:

[rtb61]

On a bean counters spreadsheet, one who is chasing a bonus for cutting costs. How much does the CISO office cost, how much money does it make and there are the numbers proof. Prove that it will prevent losses, where are the proven numbers, where are the receipts, here are the real world savings and here are your imaginary costs. This is the bonus that executives will receive for this quarter based upon these savings. What profits will you security division make, we know the costs, where are the profits and

Re:

[Tom]

On a bean counters spreadsheet, one who is chasing a bonus for cutting costs. How much does the CISO office cost, how much money does it make and there are the numbers proof

I can calculate you that number, it's part of what I do.

Prove that it will prevent losses, where are the proven numbers, where are the receipts, here are the real world savings and here are your imaginary costs.

Wrong level of management. Top level managers think beyond the cash register. If you don't get to talk to them, you are wasting your time.

What profits will you security division make

None. IT is not a profit center, it is a support process that enables others to make a profit.

Also, we keep the CEO out of jail. A major driver is compliance and accountability. The simple fact that you have a security division is the #1 thing that'll keep you away from gross negliegence in case the shit hits the fan

Re:

[AmiMoJo]

In my experience the typical C level response to this argument is "if you were doing your job properly there wouldn't be any incidents."

They see it as you effectively saying that you can't protect them and they should fire you and find someone who will pretend they can.

Maybe tenures are so short because they know to move in in a couple of years max so that when it inevitably does go wrong they aren't around to take the blame, or can blame their predecessor if they have only been in the job for six months.

Re:

[Tom]

In my experience the typical C level response to this argument is "if you were doing your job properly there wouldn't be any incidents."

Here's the budget calculation with the resources that I need to do my job properly. Glad that we are in agreement that a well-done security job is a necessity.

Maybe tenures are so short

Among my clients those that do switch do so because they get a better offer or look for a different challenge or are tired of office politics. Not one I know complained that they're being blamed for incidents. Maybe the C level is more adult than you give them credit for?

One difference between plebs and CISOs

[bobstreo]

"The base salary for Chief Information Security Officer ranges from $197,716 to $261,204 with the average base salary of $226,265."

I could put up with a whole pile of BS for 200K a year.

As long as when I advised the board on needed changes, they would sign off on their decisions on paper.

In my previous jobs, managers became very indecisive when I asked for their decisions in writing.

Re:

[Austerity Empowers]

The C in CISO means you own their decisions, there won't be anything in writing.

Re:

[whitelabrat]

This. When you're a C-level, the buck stops with you. You have to make the hard decisions of getting things done while supporting the business. Have fun with that! :P

Re:

[Opportunist]

If all you do is put up with BS, you won't stay a year because then you're the fall guy with no budget to avoid it. You're essentially sitting on an ejector seat with someone else having the trigger for it.

Re:

[jon3k]

I think the question we should all be asking is, if they are leaving after 26 months, where are they going? Because given the industry right now, my guess is to "a higher paying CISO role somewhere else" because the opportunities for CISO [forbes.com] are crazy right now:

“The cybersecurity job market is on fire” says Veronica Mollica, founder and executive information security recruiter at Indigo Partners, Inc. in Fairfield, Conn. “Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%. Current employers are scrambling to retain talent with counter offers including 10% and higher salary increases for information security team members to remain on board” adds Mollica.

And that was from 2016. Just imagine what it is like today.

It is a thankless job.

[jellomizer]

If you do your job right, it seems like you are doing nothing at all.
If you do your job wrong, you are spending all your time putting out fires, and dealing with issues.

Your job is to tell people who don't take no for an answer. No you can't do that.
Your job is to tell efficiency people that this efficient workflow cannot be done for security reasons.
You have to budget millions of dollars for staffing and equipment hoping that you will never have to use.
Your job is to put the breaks on things we have learned we needed to do to make the business grow.

However if you do your job right, things work well, problems are quickly resolved, and you don't get any of the credit.

Re:

[Falconnan]

If you do your job right, it seems like you are doing nothing at all. If you do your job wrong, you are spending all your time putting out fires, and dealing with issues.

Your job is to tell people who don't take no for an answer. No you can't do that. Your job is to tell efficiency people that this efficient workflow cannot be done for security reasons. You have to budget millions of dollars for staffing and equipment hoping that you will never have to use. Your job is to put the breaks on things we have learned we needed to do to make the business grow.

However if you do your job right, things work well, problems are quickly resolved, and you don't get any of the credit.

This. 100% this. Absolute and total. All while being fought by people who don't want to affect short term profits

Re:

[93 Escort Wagon]

At 200K per year, you wouldn't have to put up with this very long before you were set for life - assuming you managed your money wisely.

Re: It is a thankless job.

[Way Smarter Than You]

How far do you think $200k goes? For a year or two, maybe longer if you're thrifty and a saver. You're only keeping about $100k of that after taxes. Now you have to pay for things like food, mortgage, property taxes, health care, it.ititss, clothing, any travel, car repairs, and so on. And if you have kids or non working spouse? Lololol. No $200k isn't much.

Re:

[ahodgson]

$200k is a lot if you live like you're making $60k. Less than 3% of US households make over $200k.

It would still take more than a few years to be "set for life" though.

Re:

[pr0fessor]

If I saved your money and didn't go nuts after a couple years I could probably take a year off but I live in the mid-west where cost of living is low and $50k/yr isn't bad.

Re: It is a thankless job.

[Way Smarter Than You]

Indeed. I'm sure $200k would go for a while where you are, but still nothing like "set for life". Money goes -really- fast. People just don't consider all the little things and how fast they add up. All those $5 Starbucks are no joke over time.

Re:

[whoever57]

If you are in Silicon Valley, you need that kind of money to buy a modest house.

Re:

[Opportunist]

Where do you live that 200k a year allow you to be set for life before very long?

Re:

[guruevi]

If you do your job right that statement would be false. The problem is that many CISO's have no idea what the business is or does. They just get brought in after some major event with the mandate to implement something without having any clue how things work.

A good security protocol doesn't impact good businesses processes, unless the business process itself is poor, security should add no overhead.

Full insanity.

[Arzaboa]

The tech industry is crazy bad at this. All these companies are trying to have the highest valuations with the smallest workforce. Profits drive it all. Burning through tech employees is a thing. There is always another new grad right?

I don't know if it is like this in other verticles as I am a tech guy. From what I see though many of our people are great computer folks, but terrible people persons. They can make a machine jump through crazy hoops, but when it comes to standing up for themselves, its just not their thing. This causes incredible burn out in the industry which comes with all sorts of bad stuff for everyone involved.

Any mature company can hire an extra couple of people to save the sanity of everyone. With the money in tech and the maturity level we are at, there is absolutely no reason we should continue to do this to each other.

--
It is a warning that, if nobody reads the writing on the wall, man will be reduced to the state of the beast, whom he is shaming by his manners. - Mahatma Gandhi

parachute

[bugs2squash]

They are C-level execs so they may well have a sweet exit deal. Maybe they're so stressed that they quit, collect and then start their next CISO gig.

Re:

[Pinky's Brain]

Maybe the companies get hit by a major attacks so often they are simply patsies who have to take the fall.

Re: parachute

[Way Smarter Than You]

Not really. I was CISO for a few years. Parachutes are for real c-levels like CEO and CFO usually. Everyone else gets what they get and moves on. CISO is not one of those blessed positions.

Re:

[Tom]

It has a C in the name, but it's not on the same level as the CEO, CFO, COO, etc. In fact, only if you are lucky do you directly report to one of those. I've seen CISOs who reported to the CSO who reported to the CFO who reported to the board.

Re:

[Opportunist]

The C only goes so far, the CISO is, at least in most companies, more the "junior" in the C suite. There are very, very few corporate structures where the CISO is on par with the "important" C-levels like CEO and CFO, usually you'll find him reporting to the CIO.

In many cases, the CISO title is handed out to pretend that they give a fuck about security. Take a look at their organization chart to see whether they do. Hint: If the CISO is tacked on behind some other C-level, they don't.

Re:

[Opportunist]

Found the person who never has been CISO in his life.

Re:

[Headw1nd]

Probably more than that, I was thinking "Has never held responsibility in their life."

As a CISO, fired for pointing out illegal actions

[ZoomieDood]

I had a rather short tenure as a CISO, when I caught wind of higher ups in the organization violating their own policy regarding accessing the email of an employee (who, uh, happened to be suing the agency for a hostile work environment).

I pointed it out to them in an email, and they hastily canned me. Something about open records acts is what they were afraid of.

And I didn't include details about whose account they were getting into, just alerting them to the policy and my awareness of actions to get into

Re:

[Bongo]

Oh, that's terrible.

Some places are just corrupt and there's nothing you can do about it other than keep your integrity and leave.

or lack of listeners

[RainyOffice]

I would say that after 26 months they are just giving up on the CEO listening to them. And then crossing fingers next company will be different.

Re:

[Opportunist]

Try to get a deal in finance. They do take security serious, mostly because their own neck's on the chopping block if they can't show that they tried their best to avoid security breaches.

What about UI/UX front end developers?

[backslashdot]

I dunno CISO seems pretty lame and easy to me, people are usually paranoid enough about security. Front end stuff though, that seems to be the latest stressed out job. It's hard to find people good at it. Mainly due to the fragmentation of technologies. React, angular, vue, bootstrap, all that crap -- people are rarely a master in it. Maybe the real software engineers don't want to learn JavaScript and CSS which seems like foo foo designer stuff. And the IDEs are a ball of suckage too. Many front-end develo

I can relate

[uncoveror]

I am a team lead over a group of help desk agents. When I am doing performance reviews, the number of agents who are resetting passwords and PINs without confirming a caller's identity with the last 4 of the user's SSN first makes me angry enough to spit fire! I write negative reviews, and send nastygrams but do not have firing authority. At least I am not the one who is ultimately held responsible for how naive, lazy or forgetful under time pressure help desk agents can be. A CISO is. Help desk agents are doing what may be the most hated job in all of IT, so people are not beating down the door trying to get that job. Because of this, bosses are reluctant to fire them. They will always be easy to social engineer into resetting a password, as they want to help people who are nice to them, and get people who are abusive or threatening off their phones right away. Their mistakes will be blamed on a mid-level executive, by a senior level executive, who know less about computers than the clueless callers who want magic wand solutions, and yell at you for not letting them use "password" as their password so they can remember it.

Because most CISO are clueless

[LordWabbit2]

Because most of them are clueless, after 26 months of pretending to know how to do their job they make a run for it before the shit hits the fan.