Chief information security officers and other enterprise security leaders often don’t remain long enough with the same organization to be able to make a strategic difference. Those that do say business focus, the ability to communicate with key stakeholders and knowing how to manage expectations are key to longevity in the CISO role.
Take Andy Ellis. As Akamai’s chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company’s security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organization’s core security strategy.
Ellis believes that being at the same company for so long has been critical to his ability to affect change. “I’ve gotten to mold this position,” Ellis says. “As I’ve gone along, it’s been like wearing a comfortable glove. I understand how the organization works; therefore, I can get more done.”
Not many CISOs can say that. Studies show that the job tenure for most CISOs typically is between two and four years. A widely quoted 2017 survey-based report from analyst firm Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) estimated the average tenure of a CISO to be between 24 and 48 months. A more recent Kaspersky Lab study concluded that barely half of all CISOs stay at their job for more than five years, but 64 percent percent of those that do believe they are adequately involved in business decisions compared to 36 percent of CISOs with shorter job stints.
The lure of higher compensation is one major reason why CISOs rarely stay very long in one place. CISOs, like most other security professionals, are a hot commodity. The ESG-ISSA survey showed that 38 percent of CISOs quit their current job for better salary and benefits. That’s not the only reason. The same survey showed that 36 percent leave because of a corporate mismatch and 34 percent head for the exits because they feel left out of the executive decision-making process. Other frequently cited reasons included lack of budget, lack of skill and inadequate support from upper management.
CISOs often are the first to bear the brunt of the responsibility for data breaches as well. Facebook CISO Alex Stamos and Equifax CSO Susan Mauldin are two examples of security leaders at large organizations that felt pressure to leave as a result of security miscues.