Increasing cyber attacks and the pressures COVID put on organizations is making chief security officers and their equivalents think of the unthinkable: Quitting.
In fact, Gartner believes by 2025/26, almost half of current CSOs will have left their job for another post, and of them, 25 per cent will leave cybersecurity.
Some call this The Great Resignation. Gartner calls it The Great Reflection, as infosec leaders reflect on whether they can find a balance between work and their personal life. Sometimes they conclude the solution is walking out the door.
With the current talent shortage, that’s not sustainable.
At this week’s IT World Canada MapleSEC security education event, two Gartner experts discussed what individuals and corporate leaders can to do halt this trend.
“Part of the challenge CSOs face … is you feel like you’re pioneering what you’re doing while you’re executing it,” said Geoff Crampton, an Ottawa-based Gartner executive partner. That’s in part because the CSO role is relatively new. Also, many CSOs have risen through IT positions, but today the C-suite demands members be business leaders, which isn’t a competency many CSOs have.
“You really have to sit down and figure out where are you going to invest your time, how are you going to invest your time, and what’s the most important place to put your time,” Crampton said.
Satyamoorthy Kabilan, a senior executive partner at Gartner and former director of national security and strategic foresight at the Conference Board of Canada, said CSOs should take a page from research done on others who face high-stress periods: First responders, such as police and firefighters, as well as emergency managers. One lesson: In an emergency, you can’t run 24/7 for a week, you need a team that can step in for you.
So he advises CSOs to build a team that can share duties in a crisis.
And sharing responsibility, he added, is a great motivation for others on the infosec team to stay with the company.
Meanwhile, corporate managers need to help take the load off the backs of CSO, said Crampton. “That starts with the organization understanding that cybersecurity is everyone’s responsibility. This is not a technical issue, this is not for one person to have to carry on their shoulders.”
The way senior management does that is by recognizing that cybersecurity issues are enterprise risk issues.
Gartner calls this the organization’s cyber judgment: Its ability to make risk-based decisions on a number of factors, including cybersecurity.
When an organization has good cyber judgment, Kabilan said, the CSO won’t be seen as “the blocker” of innovation. To do that, he added, the CSO has to understand the business’s needs.
Ultimately, Kabilan said, it’s up to senior management to decide if they have a great CSO — or a potential CSO — to make sure the organization develops and keeps them.
“We want CSOs to move from a role that prevents breaches to a leader that facilitates risk management,” Crampton concluded. “Second, we want to move from cyber risk being seen as a security problem to cyber risk as a business or organizational risk. Third, security can’t be seen as a roadblock. We want to re-frame that to ‘Security enables agile secure products and business operations.’
“If we can find those three reframings happening over the coming years, these positions will become much more supported in our organizations and [infosec] people will feel supported.”