77% of CISOs fear next big breach will get them fired – Source: www.csoonline.com

When security vendor Portnox reported in a survey that 77% of CISOs say they are either very or extremely worried about losing their job when the next big breach happens, it raised questions about how CISOs should perceive their value in the C-suite. Will they be punished for issues beyond their control? What should happen if a breach can be linked to a budget request the CFO rejected?

Will Townsend, VP and principal analyst at Moor Insights and Strategy, said the survey result encapsulates how most CISOs feel, and whether the enterprise will ultimately fire them in the wake of the next breach is arguably a secondary concern. As long as the CISO worries about inevitable termination, it’s going to color the CISO’s behavior. Is a gun-shy, hesitant CISO what the enterprise is trying to create?

Enterprises “are going to be breached, sooner or later. An organization will hire a CISO because it is the one-throat-to-choke belief,” Townsend said. “It’s been documented that the buck stops with the CISO, which means that they are likely at risk of losing their job” when a major breach occurs.

But company culture and senior management must be fair and realistic when it comes to cybersecurity responsibilities for CISOs to perform their duties right. Whomever the CISO reports to — often the CIO, with a dotted line report to the CFO — should also be on the proverbial hot seat, Townsend said.

“Let’s say that the CISO has addressed certain concerns, such as identifying a gap in an identity access system and the CISO asks for the budget to have those controls put in place and they are denied,” Townsend said. “This is a team sport. The whole C-suite needs to have that responsibility. It’s so easy to point the finger at the CISO and it’s a mentality that needs to change.”

“The entire C-suite has to have skin in the game. A lot of this comes down to budget. The head of HR, the CFO, and the CISO all have to have an equal part in making sure that the proper security controls are in place,” Townsend said. “The entire C-suite should have their compensation tied to proper security controls.”

Jess Burn, principal analyst at Forrester, takes a more strict view. “If the CISO is truly afraid of [getting fired when the next major breach happens], they shouldn’t be working there anymore,” she said.

A talented CISO who manages a major post-breach incident instantly becomes a very valuable resource in the CISO hiring universe, she said. Firing that executive does little more than force them into the arms of your largest rivals.

“There are major market opportunities for people who have fought their way through these breaches,” Burn said. “A post-breach CISO, assuming the CISO managed processes well post-breach, you will be in serious demand. Another company will absolutely want that experience.”

The best way for CISOs to strengthen their positions is to focus on revenue, net income, and market share. “Tie the underwriting process into your security controls. [The C-suite] language is money and revenue. Remind them that customers’ third-party risk assessments are only getting harder and harder.” In other words, doing well on those assessments is the direct path to more customer revenue. More to the point, failing those assessments means losing potential customers.