Security Experts:

'Tis the Silly Season – CISOs are a lot like College Football Coaches

As we head towards the end of the year, the annual rising of mobs of people pushing and shoving to get what they want reaches a crescendo. No, I’m not talking about the recent Black Friday sales, but rather the head coach carousel in American college football, ignited at the end of the regular season by hordes of jilted-feeling fans with torches and pitchforks.

This is such a regular occurrence that it’s been given a name – the silly season.

So far this year 20 head coaches in the FBS (upper division) have resigned or been fired, which kicks off a domino effect of changes at other schools as those with vacancies posture for the best talent they can attract, often from other schools who would like to retain the leadership they have.

CISOs face pressures and pitchforks not unlike college football coaches.

The average tenure

IT Security and FootballThere are wildly divergent estimates for how long the average CISO stays in the role, but it ranges from a low end of 17 months to five years. That’s about the same for a college football coach, who in years past was given four or five seasons to attempt to win sufficiently with his own recruits. But at schools with unrealistic expectations, coaches can find themselves out in two seasons.

While there are CISOs who make their own decision to seek other employment, the more likely source of turnover is due to headline-grabbing breaches, kind of like an unexpected loss in college football, but I imagine with a far further reaching real-world impact. Should this be a realistic expectation – that a CISO can guide the organization to avoid breaches at all? And if breaches are inevitable how can that expectation be set?

Setting the expectations

To avoid being the designated sacrifice when breaches occur, ideally, clear expectations must be set before taking the job. In today’s threat environment we must assume continuous breaches – what is relevant is the response.

How fast should attackers be detected and vulnerabilities remediated?

How can we mitigate the potential damage if data is exfiltrated? What is the expected increase in mean time between breaches, and what budget will be used to improve the security posture?

These are the addressable questions around which metrics and objectives can be set for an incoming CISO. A zero-breach expectation would require an unreasonable amount of resources. Executives and the board may not want to hear that, but they need to understand it. No coach can guarantee a zero-loss season.

Start fast

Once expectations have been negotiated and the CISO is hired, Gartner suggests that the first 100 days in the role is the most critical time period for success or failure. Like the college coach who has to prepare before taking the field, the new CISO, according to Gartner, needs to map out the first 100 days in six phases:

• Prepare

• Assess

• Plan

• Act

• Measure

• Communicate

These steps are designed to establish the credibility of the CISO and earn goodwill that will be necessary when the inevitable breach occurs.

Get the right people on the team

Recruiting is the lifeblood of any college football team. So it goes in security, but finding talent is a real challenge. ISACA’s global survey, The State of Cybersecurity: Implications for 2015 states, “Enterprises are having a difficult time hiring skilled people as it takes 53% of organizations between 3 and 6 months to fill a position and 10% cannot fill them at all.” Retention and recruiting will need attention early and often in the CISO’s tenure or the loss of talent will cause an inability to achieve goals.

Is it possible to avoid the Silly Season?

While college football coach tenure is unlikely to improve, having more successful CISOs are sure to improve the security posture of our enterprises. Realistic expectations and improved understanding of the challenges coupled with credible plans and the right people are necessary to stop the CISO carousel.

Related: Request an Invitation to the 2016 CISO Forum at the Ritz-Carlton, Half Moon Bay. 

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.