On the Immaturity of the CISO Role
When the CEO hires a CFO, they know what they’re supposed to get.
When the CEO hires a CRO, they know what they’re supposed to get.
When the company hires its general counsel or CLO, they know what they’re supposed to get.
Every C-level role is well understood by the senior leadership team and the Board but one: the CISO. The CISO role is understood only in the vaguest of terms. It’s often completely misunderstood, even by many who claim the title.
The rate of CISO turnover is notoriously high. Stress gets the blame. The job is stressful, but so is every other C-level position. I wonder if the problem lies elsewhere. How can a CISO’s performance be evaluated if peers and superiors don’t understand the role? And given the novelty of the CISO role, coupled with a relatively low number of people who have experience in it, could it be that the average CISO isn’t very good at their job? Could it be that the CEO, CFO, and BoD don’t know how to evaluate the performance of the CISO, even when they perform well?
