Why CSOs Lose Their Influence and Get Fired
Your path to a pink slip might have started on day one – it’s failure in the soft skills that gets enterprise security executives fired.
You might already be on your way to a pink slip – according to industry experts, the termination process might begin before a CSO even starts work at a new enterprise. But before you give up, there are ways to make sure your employment isn’t teetering over the precipice of disaster.
“Operational failures that cause people to be fired are often due to a foreseeable, preventable set of circumstances,” says Jerry Brennan, founder and COO of Security Management Resources (SMR Group), an executive search firm focused exclusively on corporate security. "If the failure goes public, potential damage to the organization's reputation can result in politically expedient terminations. However, it is more often the mismatch of personnel and their ability to manage programs that ultimately result in the individual's dismissal."
According to Brennan, the top four reasons for a CSO’s termination are:
- Cultural Fit
- Failure to Build Relationships
- Total Mismatch for Organizations’ and Individuals’ Expectations for the Role
- Management Shift or Change at the Senior Level
“Organizations don’t necessarily seek a total match when hiring,” he says. “They may focus only on technical skills and neglect organizational expertise. This will set both the enterprise and the CSO up for failure.”
Brennan also says that, especially in the IT field, it’s so easy to get bogged down in the operational pieces of the role. As a result, security leaders miss having a business strategy that they can sell throughout the organization: “Being right doesn’t mean you’ll be successful,” he says. “You still have to communicate those technical ideas to your peers.”
Lance Wright, of Lance Wright & Associates, LLC and one of the originators of the CSO ANSI standard, also considers enterprise culture to be the key point for many new hires (and fires). “The CSO position hasn’t been around too long, so corporations sometimes say they want a CSO, but they aren’t clear about their expectations or perceptions of the job,” he says, adding that CSOs are also often at fault through the “soft skills” – interpersonal communication and relationships within the enterprise.
“On paper, you might be a very good match – technically skilled, trained at the FBI or other agencies – but it’s the soft side that is contributing to the demise of CSOs. Failures at the soft side usually result in the individual not performing at the executive level.
“There’s a disconnect between expert and general communication,” Wright says. “At this executive level, CSOs definitely bring a degree of expertise to the table, but they need a generalist capability to communicate their ideas and move the business forward.”
Wright lists five major management issues that might have been seen as assets in former organizations, but can seriously cripple a security executive’s position:
- Micromanagement: Not giving peers and other departments room to operate independently reinforces a “corporate cop” image.
- “Macho” behavior: This lends the impression of an organizational bully.
- Client-relationship failures: Forgetting that the enterprise is security’s client leaves gaps in customer service and neglects joint business goals.
- Overly self-important behavior: Having a strong “turf mentality” appears standoffish and unwilling to cooperate with others.
- Siloing yourself: A lack of generalization and coordination with other departments alienates the security function.
The Soft Side of the Job
“When we’re looking for individuals for most executive positions, we’re looking for five major characteristics,” says Jack Cage, President of Cage Talent and Premier Profiling, an executive search and recruiting firm. He looks for a perfect balance among these skills:
- Openness: How well you can interact with others
- Conscientiousness: How consistently you drive toward getting a job done
- Extroversion: How much or how little you engage with others
- Agreeableness: How much you are able and willing to come up with a win-win situation
- Neuroticism: How much are you able to handle your emotions on the job
“Generally, if someone doesn’t do well, they’re ‘off’ in one of these dimensions,” says Cage, who previously taught leadership and psychology at West Point. “For example, you have a world-class, highly skilled person with great experience, but they don’t work out because they’re rigid in their management style (not open to new or different ways of getting things done), not agreeable when working with others, especially their boss, and have some low-level agitation or anger issues that make them appear and act ‘off.’
“It has nothing to do with his or her ability to get the job done, but it has everything to do with how they work with others, that is, the ability to fit in with other people,” he adds.
Pre-Hire Due Diligence
“I’m shocked that some CSOs haven’t done even a fraction of basic investigation into their potential organizations that they would usually do for a small fraud,” says Wright. “Individuals, especially new executives, might be enamored with the transition, and the compensation can blind you, but at the micro-level, you should check out the organization thoroughly before joining it.
“Talk to folks who are in or involved with the organization to get a picture of its patterns for success,” he instructs.
Wright says that there are three types of enterprise security departments: Innovators, Protectors and Responders.
“Innovators are constantly scanning the environment for what should be done, regardless of what’s required by law. Innovative enterprises need someone with the ability to perform beyond what’s required. Protectors need someone who will do what’s necessary to safeguard the business, but the rest of the budget can go elsewhere after the basic needs are taken care of. Responders fix things when they become a problem,” he says.
“If you have a company that’s not particularly innovative, a CSO that takes strong initiative might get fired. You need to know this ahead of time.”
Wright recommends interviewing perspective enterprises in return, asking strong questions that give an impression of the overall security and enterprise culture, such as “How often do you expect me to provide you with an update of my projects?” (Quarterly means an innovative enterprise, willing to let you take the lead; weekly means responsive, and hints at micromanagement.)
Cage also suggests that prospective security executives, when interviewing for a new role, examine the new enterprise’s management in a variety of situations: “Go beyond the normal ‘dating behavior’ that takes place on both sides – the candidate and the interviewers – and really identify the characteristics and behaviors that can derail you on the job,” he says. “Eighty percent of your success hinges on how well you work with your boss, so meet in multiple situations – have an interview in the office and then have a second meeting over lunch or dinner. Look for inconsistencies in the way that person behaves that would suggest that they are ‘putting on a show,’ that they're ‘on their best behavior’ during the interviewing process. Ask other people for their impressions of the key manager's strengths and weaknesses, and have a strong idea of how decisions are made before you jump in – Is it an autocratic style? A consultative approach? Participative? How are resources allocated?” These are questions you should be able to answer before you take on a new role with a different boss, Cage says, or you’ll already be behind the curve.
21st Century Security on a $5 Budget
In some organizations, the position of CSO may be a new one. Many enterprises want to have the position, but the programs aren’t mature enough to fully realize the department, which puts the security executive in a tough spot.
“If the organization feels their only investment in security is to provide minimum compliance standards, it would be beneficial for the individual to get a glimpse of that vision before they join,” says Brennan. “It’s all about understanding internal and external customers, and developing a business case that makes your internal client feel successful.
“Most of the time, in those circumstances, the enterprise doesn’t want to spend the money because they don’t see the ROI. Don’t pitch a good idea unless you can make the internal customer see the value to it,” he adds.
Brennan describes the CSO’s job here as a sales function – the enterprise has to have a viable need for the product you’re selling, so you have to understand the internal customer’s requirements in order to fulfill them, even with solutions they might never have considered.
“Build your strategy, influence your peers and fellow executives and get their support. If the CEO doesn’t necessarily agree, but you’ve garnered support from other division heads, you’ve got a good chance of being able to execute your plan,” Brennan says. Getting results and positive, forward momentum is the key to keeping your position and your enterprise safe in a compliance-minded setting.
“It’s best for individuals to almost not think of themselves as CSOs, but as an executive – a business person – who has security as a part of their responsibilities,” says Wright. “Make the conversion from corporate security cop to a business person in the C-Suite.”
Improving Your Cultural Fit
Perhaps you’re already in a tricky cultural fix – how can you improve your status within the organization? According to Cage, by asking the question, you’re already halfway there.
“An executive has to have a sense of openness and willingness to take on new information,” he says. “The most powerful component of growth is not a course or a class on ‘leadership’ – it’s behaving in a way, as seen by others, that emphasizes your openness, conscientiousness appropriate engagement with others, agreeable manner and expressing appropriate emotions. Then, you can work with a boss or coach to suggest better behaviors or approaches to take on.
“The five dimensions don’t change that easily – it takes a great deal of personal strength and conscientiousness to change,” Cage adds.
Brennan recommends struggling CSOs work with their HR departments to build up any weak management areas. On the cultural side, however, frank discussions with bosses, peers and HR departments for “a little bit of self-evaluation” can be a boon.
“People measure professional capabilities around harder skills versus the nuance of soft skills,” Brennan says. “Ask ‘In what areas do I need improvement?’ The individual has to understand how the organization values competencies – read answers on a broader context, not just the words. Go deeper into the responses and suggestions, because they’ll often tell you the keys to what executive behavior the enterprise really needs.”
Overall, any individual who climbs to the CSO or director level has the technical skills to advance an enterprise’s security, but personality and fit are often the be-all-end-all for organizations that are built to function as a team, whether to innovate, protect or respond.
“Executives are hired for their skill,” says Cage, “but fired for their fit.”