Five reasons the wrong CISOs get hired

Why do the wrong people keep getting hired as CISOs?

This is a contributed piece by John Mason, a Cyber Security and Privacy enthusiast. You can find him on Twitter.


CISO’s don’t have the longest tenures.

Part of the problem is that they can be fired for a multitude of issues, from breaches, to damages, poor security implementation, compliance issues, and more.

It might be their own fault, sure.

But more often than not, the underlying reason for a short-lived CISO is that they were a bad fit in the first place. They were hired for the wrong reasons. And set up to fail.

Here are five common reasons the wrong CISOs get hired (and how to avoid making the same mistakes).


1. Hiring when it’s too late

It was only after Target’s historic data leak that they decided to take action.

Tens of millions of stolen data later, and Brad Maiorino was tasked with (somehow) cleaning up the mess.

Matt Hakan likens it to your friendly American Automobile Association (AAA), “Sooner or later you’ll breakdown and join AAA.”

Of course, it’s too little too late – Brad’s extremely qualified, but the problem is that Target, at their scale, operated for so long without someone like him at the helm.

The second issue only becomes apparent when you dig a little deeper into the root cause.

It was a simple malware problem. So it wasn’t a technology flaw per se. Instead, Matt points to a breakdown in a “lack of coordination and communication that ultimately led to the security failure.”

Target already installed a $1.6 million malware detection tool a few months before the incident. According the Bloomberg the tool worked, too. It ‘sounded the alarms’ and notified the proper in-house security teams.

It’s just, nothing happened in response. At least, not in time.


2. Abdicating instead of delegating

The average tenure of CISO’s is only 17 months.

That’s barely enough time to wear in your new office chair.

And it says more about the organisation hiring (then swiftly firing) this position than it does about the individual.

Security, in an ideal world, isn’t one individual's job. One individual’s burden to shoulder (and convenient scapegoat to point the finger at when things go awry).

Instead, it (should be) integral to an organisation’s site wide mission. At the end of the day, security rests with a few individuals, sure.

But there needs to be an “organisational commitment” behind them (as Ryan Berg puts it). Then there’s technology of course. And most importantly of all, processes.

Because at the end of the day, processes will ensure that everything happens as it's supposed to. Target’s technology and people were notified of their hack. Only for processes to let them down at the end of the day.

Security can be delegated to select individuals within an organisation. However, security can’t then be abdicated by everyone else within it, too.


3. Hiring because of pressure, competition, etc.

You shouldn’t wait to hire a CISO only when the… stuff hits the fan. However, you also shouldn’t rush into hiring one because… ? 

A speaker told you too. A good blog post referenced them. Your competitors are hiring them.

Security is (and will be) an ever-present need. Especially in today’s world. But as discussed, it’s larger than any one person.

Unfortunately, that one person doesn’t stand a chance (at least, not longer than 17 months apparently) unless the Board and founders have already taken the time to determine what role security will take in their organisation and how it should be actively managed.


4. Hiring based on technical expertise alone

Technical skills are undoubtedly important. Degrees and certifications can be instructive.

However, CISOs will only flourish within an organisation if they can combine their technical chops with the soft skills required to lead change.

A decade (or two) ago, a security role was more narrowly defined. ‘Cybersecurity’ wasn’t even a thing. Cue Target, Home Depot, even the IRS, and we’re living in different times.

Today’s CISO needs to able juggle multiple hats at the same time. They must fluently navigate new regulations and compliance and understand the ramifications of their decisions. They need to be able to coordinate departments internally to get ‘buy-in’. Someone who can relay the pros and cons of free VPNs vs. paid VPNs vs. Proxies vs. TOR. Or why WordPress may or may not be a good idea for enterprise companies.

In other words, the technical skills are just one piece of an ever-enlarging, sophisticated puzzle. And it takes someone who’s comfortable (and competent) in transcending these inter-departmental lines to get things done.


5. Hiring based on the wrong technical expertise

Even technical skills are becoming more diverse based on the evolving landscape.

Pace Morgan lists just a few of these that most CISOs have to be up-to-date on:

  1. DNS, routing, authentication, VPN, and DDOS mitigation technologies
  2. Security architecture development
  3. Tablet and mobile software risk exposure
  4. Disaster recovery planning
  5. Network security and firewall management
  6. Identity management
  7. Digital forensics

That’s a lot of skills. A lot of different areas of expertise. Ideally, you want someone who understands how all of those fit together. But in reality, you’re going to find people who skew towards specialising in a few.

The right candidate for your organisation will have specialities that line up with your own specific needs. Which sounds trite on the face of it, but it means that the person with the ‘best resume’ or ‘best experience’ may not be the right ‘right fit’ for you.

Even your organisation’s size impacts this decision. A CISO at a 100 person company will need vastly different skills than a 1,000+ one. The one at the 100-person company might still need to roll up their sleeves and get their hands dirty. While the 1,000-person one will spend more time leading and managing others.



CISO positions are on the line every single day due to the overwhelming problems they have to tackle.

There is no shortage of external threats to monitor.

So the last thing they need is to deal with internal conflict, too. But too often, that’s the case because they were hired too late, have little-to-no support, hired for the wrong reasons, lack the soft skills necessary, or don’t have the right technical skills required.

They might be able to circumvent some of these.

But it’s more likely that they weren’t hired for the right reasons in the first place. And then it just becomes a matter of time until they’re another statistic.