Lena Smart makes the perfect pitch to be a CISO.
She talks about the multitude of great opportunities in the field and highlights the plethora of interesting challenges that come with the role.
She talks about the strong relationships she has forged as a CISO and readily talks about the high levels of trust that exist between herself, her team and other executives.
She also enjoys being able to set a security strategy and knowing that the organization is supporting her while they do what is necessary to implement it.
“The money stops with me. I think that’s what gives me satisfaction, ”says Smart, who in 2019 became MongoDB’s first CISO, his third position as Chief Security Officer.
Unsurprisingly, Smart’s enthusiasm and stated love for his work is not universal among security officials. The level of satisfaction vs. dissatisfaction varies from one survey to another; some reports indicate that CISOs are extremely satisfied with their work, while others have revealed significant dissatisfaction.
The satisfaction of the CISO: in figures
the Cyber Security Professionals Salaries, Skills and Stress Survey 2020 from security technology company Exabeam found that 96% of those surveyed were satisfied with their role and responsibilities, and 87% were satisfied with their salary and income. the Reference study on the remuneration and budget of the RSSI 2020 from IANS Research and the cybersecurity practice of Caldwell Partners have also found that the vast majority of CISOs are satisfied with their positions.
On the other hand, however, the RSSI Voice Report 2021 from security technology company Proofpoint found that 57% of CISOs thought the expectations for their role were excessive and almost half didn’t believe their organization was positioning them for success.
But these reports are just the beginning of the story, highlighting what makes the position exciting and fulfilling or, conversely, what makes it frustrating and unsatisfying, and how each side of this division can have a positive impact. or negative about an organization’s ability to secure itself and attract the talent needed to do so.
Of course, there are happy and unhappy workers in any role at all levels and for all kinds of reasons, but there are commonalities in what brings satisfaction to CISOs who are indeed informative, to both on the role and on the people who are drawn to it.
“I have the impression that security is sort of a vocation. If you find your calling and find a place to fit in, there is nothing better than this, ”says George Finney, CISO at Southern Methodist University in Dallas, Founder and CEO of Well Aware Security and Author of Well aware: master the nine cybersecurity habits to protect your future.
For Finney, like many security managers and staff, the variety of challenges the job brings him is part of what keeps him engaged in the role. “It’s something new every day; it’s so exciting — I hear that from everyone in security as well — and the fact that we’re not limited to one part of the business and working with everyone, ”Finney said. And, like other successful leaders, Finney enjoys the people-centered aspects of working: connecting with other CISOs and being a part of the cybersecurity community, while helping his employees grow and climb the heights. echelons of security. But one of the most important job satisfaction factors for Finney and the other CISOs we’ve spoken with is how their role makes a difference.
“I like being able to take a problem apart and find a good solution and find these real solutions that will actually work to prevent bad things from happening,” Finney said.
Safety veteran Ryan Gurney said the ability to “mitigate business risk” was directly correlated with his job satisfaction. “I always felt that I had what I needed and that I was able to do what I had to do,” he says.
Indeed, the Proofpoint survey reveals that having a clear goal to help the company (44%) and the responsibility to craft a response using technology, people and / or processes to deal with changing business situations. Risks (44%) are the main reasons for the job satisfaction of CISOs.
Finney speaks directly to these points, saying, “I want to be in a role where I can make a difference. This is what motivates me to get out of bed in the morning.
Leave their mark
For Andy Ellis, former CSO, inducted in 2021 into the CSO Hall of Fame of CSOonline and now operational partner at YL Ventures, the mission is essential.
“The mission was definitely the most satisfying part for me and I have anecdotal evidence that it is the same for others, that you can see how you can change the world,” he says. “I think that’s what everyone wants – they want to know that they’ve left a mark on the world even though no one else knows.”
The CISO role is one of the few roles that really delivers such tangible results, Ellis adds.
“When these bad things don’t happen to your organization, and the reason they haven’t happened, is because you made a change [in the security posture], it’s very rewarding, ”he says.
In fact, CISO surveys as well as interviews with security officials reveal general themes that correspond to Ellis’ observation. The results indicate that CISOs who feel satisfied with their role and their work are the ones with the power to define the strategy; the autonomy, resources and teams to pursue their goals in the way they see fit; and the trust of others throughout the organization to achieve goals.
“This is the key thing I have to look for: alignment with how you feel about your job and what the company thinks about your job,” says Ellis.
Seeds of discontent
Of course, almost everyone, including the happiest CISOs, have parts of their job that they don’t like and have overcome significant, sometimes unpleasant, issues throughout their career. They have had, for example, frustrating conflicts with colleagues over investments and strategies. Some have had to face shortcomings. But overall, they say they are satisfied with their ability to do their jobs successfully.
This contrasts with CISOs who, in studies and in shared anecdotes, express ongoing dissatisfaction and frustration.
The IANS survey identified the three main causes of dissatisfaction among CISOs: insufficient budget, lack of organizational support and inadequate career development.
Meanwhile, the CISO Stress Report: Life Inside the Perimeter, One Year Later UK domain name registrar Nominet found that 88% of CISOs report staying moderately or highly stressed, with almost all CISOs (around 95%) working more than their contractual hours. Additionally, 48% said excessive stress had an impact on their mental health and 35% said it had an impact on their physical health.
Security officials say the CISOs they know who are most unhappy with their jobs are those who are not seen as executive peers within their organizations, who have to fight for the necessary resources and who do not. still don’t have the support they need to adequately secure the business.
“A lot of them aren’t in the boardroom like the other C-levels, and I hear this frustration from many of not getting management support,” says Gurney, who previously headed security at two tech companies and is now CISO in residence at YL Ventures.
This in turn can limit an CISO’s ability or willingness to tolerate the ongoing stress of the job – its onslaught of 24/7 cyber attacks, the sometimes thankless nature of the job, the difficulties in recruiting enough skilled talent. .
“They expect them to be part of the decision-making process, and they don’t. They’re not necessarily aligned with the CEO and the board, so they’re in the middle of that tension, ”Ellis said.
This leads to more than a dissatisfied CISO; this can lead to more frequent job rotation within the organization and, ultimately, can result in a suboptimal security posture.
Ellis and others say they have not seen CISOs shirk their duties or disengage in such situations. But they note that these CISOs face more challenges in building an effective and sustainable security operation and have more obstacles in attracting and retaining top talent due to misalignment and the general lack of support.
However, security officials stress that CISOs are not powerless even in these situations. On the contrary, they can work to cultivate better relationships with their executive colleagues; advocate for inclusion in strategic planning and decision-making conversations; and learn how to communicate security needs in terms of business risks more effectively.
“You have to have a good story, and it has to be understandable and relatable,” says Smart.
Finney has a similar thought saying, “When there is a disagreement I have to ask myself if I have done my job well enough to tell the story because if they have a picture then my job should be easy. . “
Senior security officials also say that dissatisfied CISOs may need to engage in some soul-searching and consider whether they really want the executive role; whether they would be more satisfied in other positions, such as those that take advantage of their technical skills rather than their managerial skills; or if they have the right job but work for the wrong company.
After all, they add, the high demand for security experts means changing jobs is always an option. There is no reason to stay somewhere that isn’t right for you.
Copyright © 2021 IDG Communications, Inc.