Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

CISOs are changing their ways amid their toughest environment ever

By Robert R. Ackerman Jr.
test
September 2, 2021

Perhaps the most talked-about job in the information technology world these days is that of the chief information security officer (CISO) – the man or woman responsible for an organization’s data security and privacy. And for a good reason – nothing gets more attention in the IT world than the endless attacks on big corporations and government entities, which, on average, result in a price tag of roughly $4 million when they are successful.

So it’s hardly surprising that a triumphant CISO is primarily a leader, a manager and a communicator.


They are a technologist as well, but this typically gets less attention as a universal given. Under pressure, the horizons of CISOs are broadening. Now their top priority is to play their part in contributing to the overall success of their employer.


Those who don’t understand or meet business requirements and expectations or don’t effectively communicate don’t last, especially at public companies, dedicated by nature to build shareholder value. For this and other reasons, such as the inadequate security of far more remote workers and the explosion in phishing and ransomware attacks, this is the most challenging time ever for CISOs, and that is saying something in a perpetually stressful occupation. The average CISO stays on the job only two to three years, and a Ponemon Institute study has found that a sizable percentage of surveyed CISOs would prefer to ultimately find a job outside of IT security. This – plus the fact that more companies are hiring CISOs for the first time amid the increasing need to improve protection for IoT devices and in the cloud – is sparking a growing shortage of them.


“The market for CISOs has become very competitive,” says Michael Elmore, a CISO at global GSK Consumer Healthcare, who is typically approached for a job once or twice monthly and says his CISO friends and acquaintances tell him much the same thing.


To succeed, CISOs need all the help they can get, especially at the start of their employment, and I’ll address that momentarily. It’s noteworthy that helpful measures benefit organizations and enterprises in general, not merely individual CISOs. Given the growing CISO shortage, it’s in the interest of most organizations to keep the security leader around as long as possible. This is the case even though they are still often held in lower regard by their colleagues. Other C-suite executives do not infrequently think their relatively narrow skillset makes them insufficiently fluent in business.


To better fit into corporate environments, less multi-faceted CISOs must move beyond monitoring, repelling and responding to cyber threats to become leaders who help create an organizational culture that liberally shares cyber risk ownership. They also need to manage information risk more strategically and, as already mentioned, better integrate security cybersecurity with the business overall.


As is the case in many professions, CISOs have to lead the charge to broaden their acumen themselves – and they’re best off doing so from the get-go. Their first 90 days on the job, in particular, provide a window of opportunity for establishing their credibility and earning a vote of confidence from leadership. This requires, among other things, thoroughly assessing a corporation’s organization, technology, governance, and the processes it embraces.


Here are the steps a newly hired CISO should take:


1. Don’t wait until your first day on the job to prepare. 

Learn what you can about colleagues and staff. Try to set up meetings ahead of time with your team and key business and IT leaders, showing that relationship development is a top priority. Don’t make the mistake of approaching your new role with ad hoc communications and plans. Every company’s culture is different, and you have yet to learn it. 


2. In the first 30 days on the job, develop an understanding of your new business environment. Meet individually with the organization’s leaders and staff. Immerse yourself in the company’s geographic locations, its business partners and stakeholders, and financial and operational performance.

In addition, go out of your way to identify and engage key stakeholders, such as board members and other strategic leaders, in individual discussions to obtain additional insights and perspectives about the business. Technical staff members should be included on the list because important insights often come from all levels of the organization.


Lastly, CISOs need to familiarize themselves with current and future strategic targets to help determine areas in which security-related initiatives best meet the needs of the enterprise. All of these steps help make the new CISO a more valuable asset. In addition, talking to a multiplicity of qualified employees enhances the breadth of a cybersecurity program because a successful one almost always requires buy-in among most employees.


3. In the second 30 days on the job, independently assess the current state of cybersecurity practices. This helps identify existing cybersecurity strengths, weaknesses and threats and enables the CISO to determine the most cost-effective course of action to improve things.


4. By the start of the final 30-day period, you should have a firm grasp of the cybersecurity environment and be poised to make some changes. You can now begin designing and developing an improved strategy for IT governance and security-- one focused on resolving the identified risks and setting the stage for better risk mitigation down the road.


As more months go by, a thorough and seasoned CISO is in an excellent position to sidestep or at least mitigate cyber breaches. Sometimes the response is painful but the best option. Take a ransomware attack, for example. Should an organization pay hackers to resolve it? Law enforcement says no. But it depends. It’s costly but often less than the cost of data loss, and downtime irritates customers.


An enlightened CISO is the most qualified to weigh the pros and cons of such a decision and make the right call to mitigate trouble. This is a lot better than the wrong call. And in a world replete with chronic attacks and breaches, it’s probably the most any organization can ask for.


This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.


KEYWORDS: Chief Information Security Officer (CISO) cyber security organizational resilience risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Bob ackerman

Robert R. Ackerman Jr. is founder and managing director of AllegisCyber Capital and co-founder of cyber startup foundry DataTribe. He was the first investor to create a venture fund focused exclusively on cybersecurity and data science and has been investing in cybersecurity for more than 15 years in the U.S. and select international markets. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • digital-cyber

    Five tips for chief information security officers to increase their strategic value to the CEO and board of directors

    See More
  • cyber_lock

    Companies need to enhance cybersecurity amid the continuation of COVID-19 in 2021

    See More
  • board of directors freepik

    Corporate boards are better at cybersecurity but still need improvement

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing