They include a combination of pressure and the unrealistic expectation that the CISO should not just lower the risk of major breaches, but prevent them altogether.
The modern CISO is also expected to have skills that go well beyond being a technology geek – to understand and “speak the language of business,” and be a strategic participant in business decisions.
[ ALSO ON CSO: Top 10 ways to retain IT security talent ]
“The new CISO is more the CIRO (chief information risk officer) tasked with managing risk to data and technology,” said Dawn-Marie Hutchinson, executive director in the Office of the CISO at Optiv.
“Five years ago, the role was buried many layers down in the organization, if it existed at all,” she said. “Today, the CISO is a business leader.”
Diedre Diamond, founder and CEO of CyberSN, speaking at the recent SOURCE Boston conference, offered three other reasons: Lack of understanding of the role, lack of advancement potential and unhappiness with leadership or company culture.
She cited research that shows the average CISO remains in a given position for only 17 months.
To all of that, add to the list what some are calling “vendor overload” – more than a thousand companies pitching security tools and solutions. That is far too many for any CISO to evaluate properly and still do the rest of the job.
There are still some compelling factors that make the CISO title attractive.
The money is good – the median salary according to some surveys is around $194,000, but it can top $270,000.
Unemployment in the field hovers around zero, since the demand for talent has overwhelmed the supply.
And over the past decade, the CISO role has taken on greater importance and influence.
But what Feris Rifai, cofounder and CEO of Bay Dynamics calls, “a gold rush in security during the last three years,” has made the task of evaluating security tools overwhelming.
“Investors poured money into the industry and as a result, more vendors surfaced. So now there is an imbalance between the number of security vendors and the number of CISOs,” Rifai said.
He noted a 2015 report by CB Insights that found, “over the past five years, $7.3 billion had been invested into a whopping 1,208 private cybersecurity startups.”
David Zilberman, managing director at Comcast Ventures, a venture capital firm, acknowledges the role investment has played.
“The need for cybersecurity is bigger than before,” he said, “so there are a lot of companies trying to build a better mousetrap. And venture capital firms are fueling it by funding these companies.
Andrew Hay, CISO at DataGravity, said cloud architecture may also be a factor, “specifically SaaS (software as a service) delivery models, lowering the barrier to entry,” leading to an exponential increase in security startups that are all, “promising to solve the same problems, or invent a new problem to solve.”
Whatever the reasons, Zilberman said there is now, “a sea of vendors with similar products. At one point, Gartner was tracking 23 endpoint protection vendors. I speak to CISOs all the time regarding doing their day job vs. vendor evaluation. They just don’t have the bandwidth to do it.”
The imbalance is exacerbated even more by some CISOs deciding to, “move on and try to sell their own products,” Zilberman said. “They’ve joined the vendor ecosystem.”
It is not just that there are hundreds of products on the market. It is also that CISOs are solicited as “testers” for “minimum viable products” – the first, rudimentary version of a tool that needs feedback from early users so developers can refine it, eliminate bugs and add features before pitching it to the mass market.
[ MORE ON CSO: Why you need a CSO/CISO ]
That label, “does not mean it’s a bad product,” Rifai said, noting that Techopedia defines it as, “a development technique in which a new product or website is developed with sufficient features to satisfy early adopters. The final, complete set of features is only designed and developed after considering feedback from the product's initial users.”
That model has worked, he said, but, “due to the sheer volume of security vendors today, CISOs have less time to be a vendor’s guinea pig.”
In an ideal world, Hay said, the CISO, “would have a technical staff to evaluate the tools,” which would allow him to focus on the “strategic vision” of the security program – “policies, procedures, guidelines and standards that must be defined, maintained and measured,” he said.
The CISO would then be brought in when a purchase decision needs to be made, “to validate that the products in question align with the organization’s security goals,” he said.
Of course, the ideal is not always reality. So experts generally agree that the overwhelmed CISO should focus not on what vendors are selling, but on what the organization needs.
Dan Waddell, managing director, North America region and director of U.S. Government Affairs for ISC2, said CISOs should understand the environment of their organizations, and then when presented with a product pitch, “ask all stakeholders to be present to provide input – not just the security team, but personnel from procurement/acquisition, finance, enterprise architects, etc.
“The various perspectives will ensure that the solution aligns with the organization’s policy, governance and staffing goals,” he said.
Irfan Saif, a partner in Deloitte Advisory Cyber Risk Services, said the need to understand the organization’s needs and business requirements is “paramount,” and the failure to do that can lead to the use, or overuse, of, “overlapping or redundant tools that aren’t integrated or aren’t working in unison towards mitigating and managing key risks to the organization.”
That, he said, “can distract from the more important task of truly understanding the risks and threats and designing the right solutions, which may include one or more technologies working in tandem.”
Hutchinson agreed. “Focus on what your business needs, not what tools are available,” she said, adding that it is also important to make sure security measures enable the business, and don’t restrict what workers need to do.
“As a friend of mine says, ‘the purpose of a door is to control the flow of people to and from the house.’ If I put 50 locks on the door, it is most definitely secure but it no longer functions well as a door,” she said.
And when it comes to cutting through the hype, Hay said sharing information with colleagues can help. “If your product or solution can solve an actual problem, and not just a marketing-derived problem, the ‘hype fog’ can be cleared away from the product pretty easily,” he said.
“When your product or service is built on hype and not value, the industry that it aims to serve will quickly pick it apart and surface its actual value.”
Zilberman agreed. Especially smaller organizations, he said, “can look for tools that have had success in the industry. They can evaluate it through ‘referenceable’ customers. You don’t want to be the guinea pig.”
Saif agreed, adding that CISOs aren’t the only ones dealing with a marketing blitz.
“The challenge of separating fact from fiction and not being lured by slick marketing is not a challenge unique to CISOs,” he said.
Zilberman said he thinks the market is sorting itself out somewhat based on Gartner’s so-called “hype cycle,” in which an emerging technology reaches a peak of “inflated expectation,” then slides into a “trough of disillusionment and then moves back into a more sustainable growth curve called the “slope of enlightenment.”
“The security industry is very much following that curve,” he said. “We were at the front end 12 months ago with huge amounts of capital pouring into it. Now, some companies are not growing as fast as expected, so we’re more in the trough of disillusionment.
“But bad guys are not going away,” he said. “I think there will be a slight correction, and in the not-too-distant future, the market will rebound.”