Phil Zongo, CEO & co-founder of the Cyber Leadership Institute, discusses the challenges and pressures facing the CISO community and how to address them.
Cybersecurity chiefs are getting paid more and moving less, according to a survey by IANS Research and Artico Search. The study, which polled the perspectives of 755 CISOs globally, revealed that average CISO annual compensation packages exceed $550,000, with 'top' CISOs earning more than $1 million a year.
However, even with these mouthwatering salaries and other benefits, including direct access to the board and increased visibility with external stakeholders, most CISOs are struggling to deal with a variety of work pressures. Regulation overload, rising board expectations, vulnerable supply chains and intensifying threats are all weighing on the mind of the average CISO. Discounting these CISO pain points is not just negligent; it’s dangerous. According to a separate study, 49% of cyber chiefs do not see a future in their roles due to these ever-expanding responsibilities. Given these challenges, it’s not surprising that respondents to the 2024 ISC2 Cybersecurity Workforce Study were neutral in their interest in becoming a CISO.
Nonetheless, this is not a counsel of despair. Rather, I offer simple but powerful strategies cybersecurity leaders can deploy to amplify their impact based on lived experiences and candid discussions with hundreds of cybersecurity leaders we have trained at the Cyber Leadership Institute.
Join your peers virtually at an upcoming eight-week ISC2 + CLI Cyber Leadership Program to empower cybersecurity professionals worldwide with strategic leadership, business acumen and communications skills necessary to navigate today’s complex cyber landscape.
Nurture Deep Relationships with High-Influence and High-Interest Stakeholders
John P. Kotter, an organizational change expert, was right to say, “Change is impossible without a guiding coalition." A shared vision is as vital in business as in cyber transformation. As the majority of new CISOs discover the hard way, success in this high-pressure position has very little to do with one's technical competencies but rather their ability to navigate complex political dynamics deftly, turn detractors into supporters and enlist the support of key decision-makers. Cyber transformation programs are doomed to fail without the unwavering support of key executives and the board.
To get this right, cybersecurity leaders must acknowledge that not all stakeholders are created equal. To maximize their effectiveness, CISOs must disproportionately allocate their limited time towards high-influence and high-interest stakeholders. These are powerful executives whose views are always sought before the organization makes consequential decisions. Their support, or lack thereof, could either sustain or kill your cyber transformation agenda. Naturally, high-influence stakeholders include most of your c-suite as well as other power brokers.
Given the complexity of cybersecurity, it can be tempting for a CISO to think that they know it all. But the days of the lone wolf are gone. Cyber transformation is a team sport and success is only guaranteed when a CISO consults widely and openly embraces opposing views. Cybersecurity leaders who run with tunnel vision build organizational resistance and stifle innovation.
To win hearts and minds, cybersecurity leader must approach key stakeholders with an open mind and genuinely seek their input into your cyber transformation strategy. When senior business stakeholders feel seen, heard and respected, they are bound to throw their full weight behind your cybersecurity strategy. Early and sustained engagement also turns business leaders into high-interest stakeholders. Your success and theirs become unified, giving them skin in the game. Here are three additional strategies CISOs can wield to enlist key stakeholder support.
- While most of your high-influence and high-interest stakeholders sit in the c-suite, you should never confuse rank with influence. A good example is an enterprise architect whose perspective the CIO always seeks before making any strategic decisions or the external advisor retained by the board to “infuse external perspectives”.
- Meet with your key stakeholders monthly to understand their top concerns and priorities. Make every effort to meet face to face because, as the saying goes, 'out of sight, out of mind'. Genuinely learn about their core values and connect at a deeper personal level. Key stakeholders are bound to support you if they know, like and trust you.
- Run any high-rated risk matters past the accountable executive before submitting your reports to the board and governance committees. Senior stakeholders hate being surprised or embarrassed in front of their peers.
The value of having key business leaders on your side is incalculable. According to McKinsey, getting influential stakeholders on your side multiplies the odds of success by four times.
Accelerate the Delivery of High-Impact Initiatives
Leading CISOs make their mark by making bold moves from the start. After moulding consensus with key stakeholders, they identify two or three high-impact initiatives and deliver them to near perfection. The role of the CISO is relatively straightforward – you tell the board what you will do, deliver that promise and then tell the board what you achieved with the allocated budget.
In our experience, however, some CISOs attempt to boil the ocean without factoring in entrenched technical and cultural hurdles. These exaggerated promises create noise, fatigue thinly resourced cyber resilience teams and leave high-value digital assets woefully unprotected. In our experience, CISOs who sell the utopian view of the world later on actually waste lots of time trying to overcompensate for their miscalculations. Don’t get me wrong – making mistakes and pivoting away from your position is permissible as new data emerges. But frequent and huge swings from your commitment harm your credibility.
Start by asking a simple but important question. Do we have the required skills internally to deliver a defined set of high-impact initiatives? If not, can we leverage external parties that can cost-effectively and rapidly deliver change? Let me illustrate this story of a CISO we collaborated with at the Cyber Leadership Institute.
Upon consulting with key stakeholders, the new CISO noted that deploying a 24/7 security operations centre (SOC) was a top business priority. On close scrutiny, the cybersecurity leader determined that the previous CISO's approach of hiring an army of security consultants and configuring security information and event management (SIEM) tools was fundamentally flawed. The new CISO needed to secure an early big win and cement credibility as a capable change maker.
The CISO quickly took a 180-degree turn, outsourcing the initiative to a global endpoint detection and response (EDR) firm and assigning a team of experienced project managers and engineers. Within eight weeks, the cybersecurity team deployed a fully functioning 24/7 SOC on the same cloud platform several Fortune 500 companies used. They started shipping security logs from digital crown jewels to the SOC, leveraging advanced machine learning algorithms, extensive data sets and public cloud computing to process billions of logs and isolate a few bonafide alerts.
Throw complex initiatives to the later phases of your program. One CISO we trained made this common mistake. Excited by new data protection laws, the cybersecurity leader promised to roll out strict mobile device management policies across hundreds of personal devices. The move backfired as employees pushed back on his “big brother” attitude, citing privacy concerns. So, complex initiatives — such as mobile device management, encrypting proprietary systems, segmenting the network, or implementing data loss prevention (DLP) — must be carefully sequenced to avoid running into brick walls early into the transformation journey.
Looking Forward
We predict that CISO salaries will continue to rise exponentially, and more cyber leaders will have unfettered access to the board and report directly to their CEOs. As these expectations rise, cybersecurity leaders must also up their game and master the art of executive influence, complex program delivery, and high-impact strategy design.
Related Insights
How Has Digitalization Changed the Role of the CISO?