It never grows old. Hire a CISO, give them no budget, no staff, and then when the inevitable bad thing happens, throw them under the bus as a scapegoat.

This has been going on for a couple of decades now, and doesn’t seem about to stop soon. It’s irrational, and is harmful to the companies who engage in such conduct.

If you’re a CISO, you are living with the Sword of Damocles hanging over your head every day.

Here are some thoughts on how not to be a scapegoat as a CISO.

Vet your employer

Years ago I once had a interview where the CEO demanded I “build a wall and keep the hackers out.”

That means you are equating a CISO’s job performance with not getting hacked. Which is like measuring your General Counsel’s job performance by saying “build me a wall and make sure no one ever sues us, oh—and hey keep the regulators out too while you're at it.”

Any lawyer in their right mind would roll their eyes and immediately turn down that job offer. You’d have be insane to take such a job. And yet such ridiculous conversations continue to this day.

Negotiate the highest salary possible

As CISO, you face extreme employment risk because you are a scapegoat-in-waiting. That means that you could face months of unemployment and no salary due to irrational actors outside of your control.

Price that in to your salary negotiations. Higher financial risk reasonably demands higher compensation.

The CISO is a business leader. Act like it.

Set expectations up front

As CISO, your job is whole-of-company security risk management. Managing risk, not eliminating risk. And that means informing the CEO and Board about the risks they carry, and giving them options to mitigate risk or accept risk.

There isn’t any “no risk” option. If anyone so much as hints that this is their thinking, run away, run away. Do not work for these people. It’s not worth it.

Set up a Security Steering Committee if one doesn’t exist

Make sure there is a regular group of executives, including at minimum the CEO and General Counsel, but also a CIO or CTO if you have one, CFO if you’re a financial company, and other business leaders.

It doesn’t have to be called a Security Steering Committee. It can be any group of senior executives with the authority to approve budget and accept risk.

Make it clear to this group that your job is to execute to meet their risk tolerance, but that the buck stops with them, and not you.

This is not an attempt to shirk responsibility. The CISO executes to meet business risk appetite within the budget the business gives the office of the CISO.

However, making trade-offs between risk and opportunity are not, and should not be, the CISO’s job.

The CISO should be preparing options with trade-offs and letting the Security Steering Committee make those difficult decisions.

But that also means when the Security Steering Committee makes a decision, they own the consequences of that decision—a point to repeat loud and often to anyone who will listen to you.

If you as CISO inform the Security Steering Committee of a major security risk, and the meeting minutes show they explicitly chose to accept that risk, then they cannot in good faith come at you after a breach resulting from that risk.

Do your job well

Doing your job well is no guarantee of continued employment, but it sure can’t hurt. Being CISO is a fascinating and stimulating and difficult and stressful job, and it’s worth doing well.

Your job as CISO is to maximize your Security ROI, as I’ve written before:

How do you measure a CISO's job performance?

J.M. Porup

·

June 26, 2023

This slide is what I do all day long. How can I mitigate the most amount of security risk for the least amount of resource spend?Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to receive new posts and support my work. Now there is a major obvious problem with this equation. Cybersecurity readers are already giving me side eye.

Read full story

Irrational actors may still throw you under the bus, and if that happens you need to at least be zen that you did the absolute best job you possibly could.

Be prepared

There aren’t that many CISO roles out there. That means you need to be prepared to drop back into a Principal Security Engineering role at a moment’s notice.

Even though your primary job duties may involve less technical management work, never let your tech chops slide. Keep ‘em sharp. If someone decides they want your head as a scapegoat, you need to keep your career moving forward.

I make a point of spending an hour day, more on weekends, in continuously sharpening my technical focus. This serves my employer well, and it also manages my employment risk in the event someone wants my head.

Conclusion

Being CISO is a nerve-wracking job, not just because of the very real risks you have to manage for your employer, but also the meta-risk of being unfairly jettisoned through the airlock due to factors outside your control.

Take steps to manage your employment risk the same way you take steps in your job to manage your employer’s risk. Like the stuff I just talked about above.

Of course, all of those mitigations might still fail. But as someone somewhere once quipped, “Life is risky. You aren't getting out alive.”