News & Analysis

Are CISOs Losing Patience? 

Security leaders seem to be resigning in droves, hardpressed by shrinking budgets, poor staffing and a general apathy over cybersecurity

The growing commoditization of ransomware and the continued apathy over cybercrime at the boardrooms is resulting in a spate of resignations by CISOs. Security leaders are also dealing with reduced budgets, poor staffing and continued challenges around security tools and protocols that require a focused approach. 

Experts have already sent out warnings over the spate of resignations saying once the CISO as the leader of an enterprise’s defense against threat actors resigns, companies could face tougher challenges ahead. Rick Crandall, chairman of the National Cybersecurity Center’s Cyber Committee, says without a leader management of cybersecurity could be diluted. 

In fact a research by BlackFog released six months ago had pointed out that a third of CISOs in the US and UK were considering quitting their positions. Of those considering this option, a third were planning to do so in six months. These findings come as demand for cybersecurity talent intensifies, with reports of hard to fill vacancies and skills shortages across UK and US organizations. 

Frustrations are mounting and budgets aren’t 

This research, which explored the frustrations and challenges faced by cybersecurity leaders also highlights the impact that cyber incidents have on turnover and job security. It revealed that of those who had been a CISO or IT security leader at a previous organization, two fifths (41%) either left, or were let go, due to an attack or data breach.

BlackFog says among the major reasons for CISO dissatisfaction was a lack of work-life balance and lots of time spent firefighting rather than focusing on strategic issues. The report flys in the face of earlier ones that suggested inclusion of cybersecurity into the boardroom as a crucial strategic discussion item.  

Some CISOs are struggling to keep up to date with new frameworks and models while there are  others who say keeping their team’s skill levels up was becoming a serious challenge. In addition, the quality of resources was poor as the total number of unfilled positions grew by a whopping 350% from a million in 2013 to 3.5 million in 2021.  

Hampered by excessive expectations

The report said this number could hold till 2025. The report said all the CISO respondents in the survey felt the need for additional resources to cope with the security challenges. In fact, another survey, by Proofpoint Research said CISOs were unhappy at facing excessive expectations at a time when security budgets are getting curtailed. 

“Cybersecurity expertise has never been more in demand; however, these numbers highlight a serious issue with retention in the field. Board members and the C-Suite must recognize that keeping a strong team of IT security leaders is essential for their company’s safety and security. said Dr. Darren Williams, CEO and Founder, BlackFog.

Reports say that the 24/7 nature of the CISO role was a big bummer resulting in the resignations while additional frustrations came from poor collaboration as the C-suite is generally expecting the CISOs to pull through. This, in spite of their lack of authority to influence the senior management of the challenges and solutions thereof. 

Lack of authority is what pinches the most

We spoke to some CISOs and they were near unanimous that it was not the diminishing budgets that created the recent challenges. It was more about the lack of authority to bring forth best practices across the company. In addition, there is also the oft-spoken lack of visibility at the top when it comes to cybersecurity.

A growing challenge amidst all of this is also the issue of reporting cybersecurity issues as government regulations are increasingly enhancing expectations about what needs to be reported and what to be left out. The recent high profile conviction of the former chief security officer of Uber for an alleged cover-up back in 2016.  

From Crandall’s point of view, communications need to be clearer between the CISOs and the rest of the C-suite without coming to the issue when things go south. He holds the view that these officials need to have direct access to the Boardrooms and senior managers need to foster strong relationships to understand prospective challenges. 

Overall, one can safely say that leadership at the top needs to take the responsibility of such a situation as cybersecurity is only going to become even more critical in an Industry 4.0 scenario as well as the next wave of innovation. 

Leave a Response