Why CISOs Must Fight Back Against Scapegoating

• CISO ignores red flags in recruitment where business leaders repeatedly mention their “unique developer culture”.
  
• CISO joins a major company which claims to be committed to cybersecurity.
  
• CISO publishes 30-60-90 day plan and immediately performs a maturity assessment upon joining.
  
• CISO meets with over 50 organizational leaders to outline their strategic vision and build support. Not a single person provides any meaningful input. The organization has no Internal Audit or Risk functions.
  
• After completing the maturity assessment, CISO develops and publishes a draft cybersecurity strategy and multi-year roadmap for feedback. Not a single member of the executive management board reads the documents or provides feedback (including the CTO and CIO).
  
• When asked about weak asset management (less than 35% of devices have EDR or MDM installed), the CIO states that developers don’t like being monitored. The CIO also states that cloud security posture management isn’t a priority (the organization employs a ‘multi-cloud strategy’ with a large footprint across multiple public clouds).
  
• The organization’s CI/CD pipeline is fragmented with limited security controls. The CTO refuses to commit to robust security in the CI/CD pipeline because the organization is focused on code velocity and bringing new products/features to the market. CTO cannot explain why the Security Champions program failed.
  
• The organization’s ecosystem is filled with thousands of vulnerable apps because there has literally been zero investment in relevant security controls. CISO develops a detailed plan addressing the people, process, and technology required to enhance security in the marketplace. The CISO is pretty much ignored.
  
• The organization is obsessed with its annual SOC 2 audit (security theater).
  
• CISO makes first presentation to executive management, addressing the security vision in accessible language such as business resilience, competitive advantage, market differentiation, regulatory compliance, collaborative risk management, etc. CISO highlights the “poor security culture” and asks that executive management make a formal statement about their commitment to security, authority to the CISO, and need for business leaders to own security in their domains and cooperate with the CISO. The executive management team is angry and criticizes the CISO for asking them to do what they see as his job.
  
• A few weeks later, management and the CISO decide to part ways because of a “poor cultural fit”.

This is unfortunately a widespread scenario highlighting why the average CISO tenure is 18-24 months: poor tone from the top, unrealistic expectations, inadequate resources, accountability without authority, regulatory & legal pressure, and poor organizational culture.

It’s time for CISOs to pushback against these toxic situations!