What’s a CISO “Time-To-Leave” (and how to retain them)?
We are often told that CyberSecurity staff is both hard to find and hard to retain.
I have the feeling that, regarding experienced CyberSecurity experts, such as CISOs, we have reached the time at which some of them:
are talented enough to define clear objectives for themselves and their teams,
as a corollary, are less and less willing to slow down the pace of their activities (due to the high level of threat). They chose their job to overcome its challenges, and now they know how to achieve their goals – and are paid to do so.
For most of them, the reputation of their company, the size of their teams, and even their level of compensation is not their primary motivation to stay, as opposed to how much they actually learn from their job on a daily basis and are confronted to new challenges.
Now how do we define “experienced CISOs”? Of course, it varies a lot from one individual to another. But for sure, when someone has been a CISO a) for various large companies b) for at least several years each, and c) have globally more than 10 years of experience in CyberSecurity, they pretty surely qualify…
Still, some companies are willing to hire a CISO “to tick the box”. Unfortunately, some of them get involved into various social/political issues, loose more and more ability to influence the operational level of protection of his company, and hence get more and more afraid of getting involved into a CyberSecurity crisis someday…
Other companies may first hire a CISO to perform a quite practical primary objective, but, after several years, the same companies are embarrassed with the amount of change management that such a protection requires, resulting from the activity of their CISO.
I have the growing feeling that, at that point, experienced CISOs choose to resign and either:
a) move to another CISO job,
b) start their own company,
or c) switch to a complete different job (one of my friend switched from CISO to photographer…).
This is probably the best case scenario.
Worse cases would include real “burn-out” situations.
Various press articles have covered CyberSecurity staff involved in such burn-out.
But, tell me… How can CyberSecurity experts, which are so passionate about their job, end up in a burn-out? Simply because they don’t want to abandon their vessel, even though they are more and more convince that they don’t have the means to avoid the iceberg…
So they keep running faster and faster, though they are never satisfied about their job and achievements.
Now, the question is: how long does, in average, a positive relationship between an experienced CISO and his company last for? How long are such experienced CISOs enjoying to execute their job in large companies? According to my observations and as well to Heidrick & Struggles last survey, it seems that 4 years is a fair number.
Are there exceptions? Could experienced CISOs actually stay longer than 4 years in large companies, while still fully enjoying their job? I believe that CISOs either:
running an external activity related to their job (eg: leading a CyberSecurity association)
and/or are hired by a tech (software/hardware) company, in particular in the CyberSecurity field
and/or moving on a regular basis from one job/position to another within their company
…are likely to stay longer as CISO of their company. For others, I’m less optimistic.
Knowing this, what could we recommend to CISOs / companies to reduce CyberSecurity staff turnover? I would summarize it this way:
Keep supporting your CISO/CyberSecurity teams. Focus on and support their progress rather than on what they need to improve
Apply Steve Jobs’ recommendation: “It does not make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do”.
Avoid mixing [too much] politics and CyberSecurity. Avoid changing CISOs objectives too often. It is hard enough to manage budget, skills and change management constraints to reach a proper level of protection. Keep in mind that CISOs enemies are (and must remain) hackers and malware. There’s no room to add others.
Instead, feed your CISO & CyberSecurity teams with challenges and training. Remember that what makes (and enables to retain) Great Employees is a mix of Trust, Talent, Tenacity and Training…
Still, I like this quote from Shawshank Redemption: “Some birds are not meant to be caged, that’s all”. Hence, companies should remain proud of the progression of their associates towards new positions, either internal or external. It usually means that they learned a lot through a fruitful multi-year experience!