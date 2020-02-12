Average Tenure of a CISO is Just 26 Months Due To High Stress and Burnout (zdnet.com) 42
Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress. From a report: Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment. The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies. [...] The survey's results paint a gloomy picture about one of today's most in-demand jobs. According to the numbers: 88% of CISOs reported being "moderately or tremendously stressed." 48% of CISOs said work stress has had a detrimental impact on their mental health. 40% of CISOs said that their stress levels had affected their relationships with their partners or children. 32% said that their job stress levels had repercussions on their marriage or romantic relationships.
nowhere with management.
"Hey we should do X, Y, Z."
CXO: "Will it bring us profit?
"No, but it'll prevent us from becoming the next equifax."
CXO: "Yeah, but nothing bad happened to them...."
CISO: "Why did you bother to hire me, fuck this industry..."
Condoms on all the cables.
You're doing that wrong.
The correct answer is "yes, it will bring us profit. By reducing our losses to incidents, and by allowing us to manage our risks better, which means we can reduce the reserves we put aside for handling them and free up cash for profitable investments."
Also, don't pick Equifax as the example. In my country, an industry leader was down for two weeks - factories stopped, no production, losses in the double-digit millions. It's not a high-profile case because industry and not consumer and journalists didn't jump on it, but it's a brilliant example (can't drop the name, we were involved in the cleanup process).
Pick your fights better, and understand that communicating to management is a major part of your job, so train it, refine it, and do it right. You'll save yourselves tons of headaches.
On a bean counters spreadsheet, one who is chasing a bonus for cutting costs. How much does the CISO office cost, how much money does it make and there are the numbers proof. Prove that it will prevent losses, where are the proven numbers, where are the receipts, here are the real world savings and here are your imaginary costs. This is the bonus that executives will receive for this quarter based upon these savings. What profits will you security division make, we know the costs, where are the profits and
On a bean counters spreadsheet, one who is chasing a bonus for cutting costs. How much does the CISO office cost, how much money does it make and there are the numbers proof
I can calculate you that number, it's part of what I do.
Prove that it will prevent losses, where are the proven numbers, where are the receipts, here are the real world savings and here are your imaginary costs.
Wrong level of management. Top level managers think beyond the cash register. If you don't get to talk to them, you are wasting your time.
What profits will you security division make
None. IT is not a profit center, it is a support process that enables others to make a profit.
Also, we keep the CEO out of jail. A major driver is compliance and accountability. The simple fact that you have a security division is the #1 thing that'll keep you away from gross negliegence in case the shit hits the fan
In my experience the typical C level response to this argument is "if you were doing your job properly there wouldn't be any incidents."
They see it as you effectively saying that you can't protect them and they should fire you and find someone who will pretend they can.
Maybe tenures are so short because they know to move in in a couple of years max so that when it inevitably does go wrong they aren't around to take the blame, or can blame their predecessor if they have only been in the job for six months.
One difference between plebs and CISOs (Score:4, Informative)
"The base salary for Chief Information Security Officer ranges from $197,716 to $261,204 with the average base salary of $226,265."
I could put up with a whole pile of BS for 200K a year.
As long as when I advised the board on needed changes, they would sign off on their decisions on paper.
In my previous jobs, managers became very indecisive when I asked for their decisions in writing.
The C in CISO means you own their decisions, there won't be anything in writing.
This. When you're a C-level, the buck stops with you. You have to make the hard decisions of getting things done while supporting the business. Have fun with that!
:P
If all you do is put up with BS, you won't stay a year because then you're the fall guy with no budget to avoid it. You're essentially sitting on an ejector seat with someone else having the trigger for it.
It is a thankless job. (Score:5, Insightful)
If you do your job right, it seems like you are doing nothing at all.
If you do your job wrong, you are spending all your time putting out fires, and dealing with issues.
Your job is to tell people who don't take no for an answer. No you can't do that.
Your job is to tell efficiency people that this efficient workflow cannot be done for security reasons.
You have to budget millions of dollars for staffing and equipment hoping that you will never have to use.
Your job is to put the breaks on things we have learned we needed to do to make the business grow.
However if you do your job right, things work well, problems are quickly resolved, and you don't get any of the credit.
This. 100% this. Absolute and total. All while being fought by people who don't want to affect short term profits
At 200K per year, you wouldn't have to put up with this very long before you were set for life - assuming you managed your money wisely.
$200k is a lot if you live like you're making $60k. Less than 3% of US households make over $200k.
It would still take more than a few years to be "set for life" though.
If I saved your money and didn't go nuts after a couple years I could probably take a year off but I live in the mid-west where cost of living is low and $50k/yr isn't bad.
If you are in Silicon Valley, you need that kind of money to buy a modest house.
Where do you live that 200k a year allow you to be set for life before very long?
If you do your job right that statement would be false. The problem is that many CISO's have no idea what the business is or does. They just get brought in after some major event with the mandate to implement something without having any clue how things work.
A good security protocol doesn't impact good businesses processes, unless the business process itself is poor, security should add no overhead.
Full insanity. (Score:2)
The tech industry is crazy bad at this. All these companies are trying to have the highest valuations with the smallest workforce. Profits drive it all. Burning through tech employees is a thing. There is always another new grad right?
I don't know if it is like this in other verticles as I am a tech guy. From what I see though many of our people are great computer folks, but terrible people persons. They can make a machine jump through crazy hoops, but when it comes to standing up for themselves
parachute (Score:3)
Maybe the companies get hit by a major attacks so often they are simply patsies who have to take the fall.
It has a C in the name, but it's not on the same level as the CEO, CFO, COO, etc. In fact, only if you are lucky do you directly report to one of those. I've seen CISOs who reported to the CSO who reported to the CFO who reported to the board.
The C only goes so far, the CISO is, at least in most companies, more the "junior" in the C suite. There are very, very few corporate structures where the CISO is on par with the "important" C-levels like CEO and CFO, usually you'll find him reporting to the CIO.
In many cases, the CISO title is handed out to pretend that they give a fuck about security. Take a look at their organization chart to see whether they do. Hint: If the CISO is tacked on behind some other C-level, they don't.
Found the person who never has been CISO in his life.
As a CISO, fired for pointing out illegal actions (Score:2)
I had a rather short tenure as a CISO, when I caught wind of higher ups in the organization violating their own policy regarding accessing the email of an employee (who, uh, happened to be suing the agency for a hostile work environment).
I pointed it out to them in an email, and they hastily canned me. Something about open records acts is what they were afraid of.
I pointed it out to them in an email, and they hastily canned me. Something about open records acts is what they were afraid of.
Oh, that's terrible.
Some places are just corrupt and there's nothing you can do about it other than keep your integrity and leave.
or lack of listeners (Score:3, Insightful)
Try to get a deal in finance. They do take security serious, mostly because their own neck's on the chopping block if they can't show that they tried their best to avoid security breaches.
What about UI/UX front end developers? (Score:2)
I dunno CISO seems pretty lame and easy to me, people are usually paranoid enough about security. Front end stuff though, that seems to be the latest stressed out job. It's hard to find people good at it. Mainly due to the fragmentation of technologies. React, angular, vue, bootstrap, all that crap -- people are rarely a master in it. Maybe the real software engineers don't want to learn JavaScript and CSS which seems like foo foo designer stuff. And the IDEs are a ball of suckage too.
I can relate (Score:2)
