My friend knew it was foolish. His practice is to bench press his weight, and then add ten pounds per side. On this occasion, he wasn’t thinking and added twenty five pounds per side.
He realized his error as he began his lift. He set the bar down, thought about it, and decided to lift a record weight for him. He didn’t make it.
Among his several mistakes was to not have a spotter. His safeguard was a catch bar set just above his chest. He lowered the bar and then squeezed himself out from under it.
Already feeling a bit sheepish, he grimaced when a woman who watched the whole thing asked him if he was okay.
He told me later, “I thought I could bear the weight. I couldn’t. And I didn’t have help in place; so the only option left was for me to get out from under the weight.”
Sounds like what I hear from a lot of CISOs:
- 60% are feeling unbearable stress.
- 53% have suffered job burnout.
- One-third are considering leaving.
- The average length of employment is 18-26 months.
As CIOs, how do we elevate CISOs so that they are not bearing as much weight on their own and get the attention they and security issues need?
Healthy Environment Before Living Things
You’ve heard me say this before. Companies often start stuff before a sustainable environment is in place. That ‘s especially true of security, which sprung up as a need and reaction more than a carefully thought through and critical strategic environment.
You know, because much of that is true of IT in general.
As a result, CISOs are using tools that are disconnected from risk and security evaluations. Instead of platforms that can be expanded with fully integrated and multiple application solutions (environment), companies bought point solutions (living things) that lack integration, and therefore, protection.
As well, CISOs have been stuck with legacy systems (living things) whose cost of transformation (environment) has been met with pumping the brakes.
In this, CISOs have struggled to explain cyber risk in a way that is understood by the business and the board. Boards are tasked with mitigating risk, and yet they are not getting the information they need.
Part of it is a problem in perception: The business and board are thinking in terms of security, not in terms of war. Security is important; I lock my doors at night. War is more. In war, I have to study the enemy, anticipate and counter attacks, and know where and when to be aggressive.
Security is about safety. War is about survival. You as a CIO, and your partner, the CISO, are doing more than defending against a breach. You are defending the business existence itself.
Failure to shift perspective, and your CISO will continue to be perceived as slowing down business initiatives, as being a cost center, and as the one who seems to always say No.
Couple how a CISO is perceived, along with realities of having a poor line of report, of being accountable without much authority, of often being understaffed and inexperienced compared to the complexity and onslaught of hackers using AI and ML to find weakness, and it’s no wonder they can’t hold the weight for long.
The Big Problem And The Three Moves
The toxic environment is rooted in one major problem: The CISO is not being heard, and that is because the CISO often doesn’t know how to be heard.
And why would they? Most are tactical, not political; most are solution-focused not soft-skill developed.
Which is where the CIO comes in. Heroes make heroes.
Train your CISO in how to communicate.
- What is the pain you are alleviating or the gain you are providing? People, in this instance, business and board, care about themselves. They are not concerned with security as a vague idea; they do care about threats to their well-being.
- What assets and critical business elements are you securing? Protecting my home against break-in is one thing; protecting my son is another. Be specific.
- Who are the attackers? Is it likely a hacker? Or is it a competitor? How about an insider? Notice the degree of concern deepen as I mentioned each. A hacker might be the result of bad luck. A competitor makes it a bit more personal. Someone is focusing on us. An insider, either from neglect or malice….an any day possibility.
- Communication is always centered on three dynamics: What is the motivation of the business and board in this moment? How do you as a CISO have an answer to that need? How is the cost worth the investment so that your solution is a high value?
- Motivations need a trigger. People endure pain; they sit on a dream. A trigger event compels them to action. As a CISO, you can’t wait for the trigger to be a breach (though that is what too often happens). You have to tell stories. You have to give a face to the enemy (Southwest Airlines works right now: “Don’t pull a Southwest.”).
See more on better communication.
Encourage your CISO to be in community with peers.
In our CIO Mastermind groups, we deal with specific issues being faced by members so that members get the benefit of years of experience and expertise that speaks into their situation.
Many times the issue isn’t technology, though it can be, but strategy, leadership, communication, political savvy - the larger issues of leading.
Your CISO needs that community. CIO Mastermind offers it for them. But if not us, someone, please.
Teach your CISO about self-care
As a CIO, you learned a lot these past few years about taking care of yourself in the midst of overwhelm. Physical movement, nutrition, mental health, time prioritization. Your CISO needs it; they work on average 16 hours more per week than their contract calls for. That’s not right.
Former President Barack Obama said, "I have complete confidence in the Secret Service. These guys and gals are unbelievably professional. They know what they’re doing and I basically do what they tell me to do. Now, sometimes I’m the first one to admit that it chafes a little bit being inside this bubble. It’s the hardest adjustment of being president, not being able to just take a walk."
Business and board, CISOs are looking out for us.
There is freedom in being protected. No greater confinement than being unguarded. Come under their watch. Spot their lift.