As we head towards the end of the year, the annual rising of mobs of people pushing and shoving to get what they want reaches a crescendo. No, I’m not talking about the recent Black Friday sales, but rather the head coach carousel in American college football, ignited at the end of the regular season by hordes of jilted-feeling fans with torches and pitchforks.
This is such a regular occurrence that it’s been given a name – the silly season.
So far this year 20 head coaches in the FBS (upper division) have resigned or been fired, which kicks off a domino effect of changes at other schools as those with vacancies posture for the best talent they can attract, often from other schools who would like to retain the leadership they have.
CISOs face pressures and pitchforks not unlike college football coaches.
The average tenure
There are wildly divergent estimates for how long the average CISO stays in the role, but it ranges from a low end of 17 months to five years. That’s about the same for a college football coach, who in years past was given four or five seasons to attempt to win sufficiently with his own recruits. But at schools with unrealistic expectations, coaches can find themselves out in two seasons.
While there are CISOs who make their own decision to seek other employment, the more likely source of turnover is due to headline-grabbing breaches, kind of like an unexpected loss in college football, but I imagine with a far further reaching real-world impact. Should this be a realistic expectation – that a CISO can guide the organization to avoid breaches at all? And if breaches are inevitable how can that expectation be set?
Setting the expectations
To avoid being the designated sacrifice when breaches occur, ideally, clear expectations must be set before taking the job. In today’s threat environment we must assume continuous breaches – what is relevant is the response.
How fast should attackers be detected and vulnerabilities remediated?
How can we mitigate the potential damage if data is exfiltrated? What is the expected increase in mean time between breaches, and what budget will be used to improve the security posture?
These are the addressable questions around which metrics and objectives can be set for an incoming CISO. A zero-breach expectation would require an unreasonable amount of resources. Executives and the board may not want to hear that, but they need to understand it. No coach can guarantee a zero-loss season.
Start fast
Once expectations have been negotiated and the CISO is hired, Gartner suggests that the first 100 days in the role is the most critical time period for success or failure. Like the college coach who has to prepare before taking the field, the new CISO, according to Gartner, needs to map out the first 100 days in six phases:
• Prepare
• Assess
• Plan
• Act
• Measure
• Communicate
These steps are designed to establish the credibility of the CISO and earn goodwill that will be necessary when the inevitable breach occurs.
Get the right people on the team
Recruiting is the lifeblood of any college football team. So it goes in security, but finding talent is a real challenge. ISACA’s global survey, The State of Cybersecurity: Implications for 2015 states, “Enterprises are having a difficult time hiring skilled people as it takes 53% of organizations between 3 and 6 months to fill a position and 10% cannot fill them at all.” Retention and recruiting will need attention early and often in the CISO’s tenure or the loss of talent will cause an inability to achieve goals.
Is it possible to avoid the Silly Season?
While college football coach tenure is unlikely to improve, having more successful CISOs are sure to improve the security posture of our enterprises. Realistic expectations and improved understanding of the challenges coupled with credible plans and the right people are necessary to stop the CISO carousel.
Related: Request an Invitation to the 2016 CISO Forum at the Ritz-Carlton, Half Moon Bay.
