High CISO Turnover
The Silent Security Threat
With the ongoing drumbeat of security breaches at corporations and other institutions, it shouldn’t be surprising that the job of chief information security officer is considered one of the toughest slots on the organizational chart.
That’s unlikely to change anytime soon. But the finding of a Ponemon Institute study last year that many CISOs survive in their position for only two years should serve as a serious wake-up call regarding how these leaders are chosen. Consider the costs of a revolving door to the CISO’s office:
- An inability to gain momentum around a consistent strategy as a succession of CISOs takes the helm
- “Reform fatigue” among those on the CISO’s team
- Greater difficulty in developing an internal pipeline of future leaders due to an unstable internal environment
- The transaction costs of identifying and recruiting a key executive
High CISO turnover, in other words, constitutes a security threat all of its own, and organizations need to respond to it with the same determination that is brought to bear on more traditional vulnerabilities. And as is often the case with those conventional threats, finding a solution begins with a rethinking of the situation. Too often, companies end up viewing the CISO’s role in primarily concrete terms — to protect the organization from hacker intrusions, to keep the company in line with regulatory requirements and best practices and so on. But focusing on outcomes obscures the CISO’s real job: to lead in environments with high levels of volatility, uncertainty, complexity and ambiguity. This calls for a completely different approach to how candidates for the CISO role are evaluated.
The CISO’s complex reality
The uncertainty at the core of the CISO’s job goes beyond the obvious challenges like the morphing of cyber threats due to increased connectivity and the emergence of a cyber-underworld that operates on a global scale. There are also a host of lesser-known internal uncertainties. While cybersecurity may have a permanent place on the board agenda, not all CEOs and board members have the experience and vocabulary necessary to work in a truly collaborative manner with the CISO, creating the potential for miscommunication with key decision- makers. The budgeting for cybersecurity is a notoriously volatile tug of war between proactive planning and the demands of crisis response.
When evaluating CISO candidates, companies must look beyond past performance.
The intertwining of information security with physical security makes the CISO dependent on areas outside of his or her authority. And the continued growth of social media, where employees freely post work-related information, results in a much larger “attack space” for hackers to mine. (Remember that an organization can be made vulnerable not just by what is shared by its employees, but by the employees of the organization’s vendors and business partners.)
Most companies evaluate CISO candidates by screening for certain leadership competencies, such as communication and influence. These are particularly important attributes given that one of the CISO’s key tasks is to create an environment that integrates good security practices throughout the organization. Indeed, our observation has been that CISOs typically spend up to 20 percent of their first year’s discretionary time on understanding, navigating and managing stakeholder relationships (although that percentage drops meaningfully thereafter as they build credibility and trust).
But while competency screening gives an important inventory of the candidate’s leadership toolbox, in the highly dynamic environment in which the CISO must operate, competencies do not go far enough. After all, they assume that present performance is a predictor of future success — a tenuous assumption when the future is constantly in flux. In fact, the attribute that such times demand — the ability to adapt to change — is clearly completely separate from both the technical expertise that shows up on a CV and the leadership abilities inventoried by competencies. While there are many factors that contribute to the short tenure of CISOs, companies looking for a CISO can increase the odds of long-term success by expanding their assessment strategies to look not just at past
and present performance, but at the ability to confront unknown challenges in the future.
Measuring the ability to thrive in uncertainty
In order to reach a clearer understanding of the traits called for in volatile environments, Egon Zehnder analyzed the data on thousands of executives it has assessed and identified four key qualities that indicate the ability to successfully lead in the face of the unknown:
1. Curiosity: A penchant for seeking out new experiences, knowledge and candid feedback and an openness to learning and change.
2. Insight: The ability to gather and make sense of information to suggest previously unseen opportunities and threats.
3. Engagement: A knack for using emotion and logic for communicating a persuasive vision and connecting with people.
4. Determination: The wherewithal to fight for difficult goals despite challenges and to bounce back from adversity.
We call the sum of these four traits a candidate’s potential. Executives with these qualities are “comfortable being uncomfortable” and thus are well equipped to lead when uncertainty is high. Of course, the four qualities of potential do not replace the need for relevant experience and core leadership competencies. But adding potential to the CISO candidate evaluation process makes it more likely that the company’s choice will survive long enough to make a lasting impact in a critical function.