From $640K Salaries to Prison Cells: The Shocking Realities Facing Today's CISOs
"May you live in interesting times."
I’ve never been sure if that’s supposed to be a blessing or a curse – but one thing is for sure: the times we are living in are nothing if not interesting. This phrase encapsulates the current state of the cybersecurity world—a landscape teeming with challenges and opportunities for Chief Information Security Officers (CISOs).
The Stark Reality for CISOs:
CISOs today are navigating an unprecedented era of digital threats. Cyberattacks, ranging from ransomware to sophisticated malware, are increasingly becoming a norm rather than an exception. In these turbulent times, a CISO claiming their organization is untouched by significant cyber-assaults is likely unaware of the full picture. The cybersecurity domain has reached a critical inflection point, with attacks increasing in volume, velocity, variety, and complexity.
A Tale of Two Futures:
The path ahead for CISOs is bifurcating—one leading to recognition and financial success, with top professionals now commanding annual packages exceeding $640,000, and the other, less fortunate, leading to professional disgrace. The choice of path largely depends on the CISO's approach and decisions. While a small select group of CISOs will succeed phenomenally – professionally, personally, and to the benefit of their organizations – most others… Well, not so much.
A Warning from Recent Events:
The trial and subsequent sentencing of former Uber CISO Joseph Sullivan has established a concerning precedent. Charged for his role in a 2016 data breach cover-up, Sullivan faced up to 15 months in prison. While the Judge ultimately sentenced him to probation, he felt compelled to tell CISO Sullivan: "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison." The Judge went on to say. "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off."
The Judge made clear that future incidences will not be treated so leniently. The criminal conviction of this CISO has stirred conversations within the cybersecurity community about the balance of responsibility that security executives must maintain; challenges made considerably more complex as the sophistication and frequency of threats continue to increase – while security budgets often do not grow apace.
The primary factors contributing to the dramatic increase in the firing and flight of CISOs that we’ve seen over the past few years include the scapegoating of Cybersecurity Leaders following data breaches, software attacks, hacks, and inevitable security incidents.
CISOs are also increasingly being blamed and dismissed for reasons ranging from the uninformed misperception of non-technical professionals (who couldn’t tell a server from a snow cone) assuming the CISO must have failed to anticipate and address risks effectively, to budget overruns, poor reporting, insufficiently addressing compliance issues, failing to ensure accountabilities, and conflicts with senior management; disputes that are most commonly caused by arguments over the budgets and resources CISOs desperately need to fulfill the ever-growing remits for which they are being held responsible.
Case in Point: Amy Bogac – the former CISO and VP of Enterprise Security and Infrastructure for the Clorox Company. Since joining the global manufacturer and marketer of consumer and professional products in June 2021, Bogac proved to be an exceptional CISO. She was credited by Clorox for having “developed a strong Security & Infrastructure team" and serving as “a champion of cyber security best practices externally and across the company,” as she participated in ongoing efforts to “influence and educate others on cyber security awareness and relevant topics.”
But then, the inevitable happened. An unforeseeable cyberattack knocked Clorox to its knees. Making matters worse, consistent with recent rulings by the Securities and Exchange Commission (SEC), companies are now required to take cyber incidents far more seriously than many have in the past. As you probably know, new reporting requirements that came into effect just a few months ago, on July 26, 2023, now mandate the disclosure of cybersecurity incidents for all publicly traded companies. The new rule also requires companies to disclose their cybersecurity strategy and governance – with responsibilities for cybersecurity reaching up to and including Boards of Directors.
In keeping with these new regulations, Clorox was compelled to report the incident in its first-quarter fiscal 2024 earnings report at the start of this month. The company was forced to acknowledge a 20% drop in year-on-year Q1 net sales – a $356 million decrease – a deficit that, Clorox reported, was "driven largely" by the cyberattack. In a subsequent SEC filing, Clorox noted that direct expenses related to the network break-in for the three months ending September 30 totaled $24 million. The result? After hiring Bogac just 28 months prior, in June 2021, Clorox is now looking for a new CISO – and the reputation of another of our colleagues has been ruined.
As regrettable as the incidents at Uber and Clorox have been, the one that resonates with me most viscerally is the October 30th announcement by the SEC that they are charging Timothy Brown, the former CISO of SolarWinds, with “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” Why did this case hit home for me more than any of the many (many!) others we’ve seen over the past few months and years? It’s because our capability, CodeLock, was invented in the wake of the SolarWinds hack specifically to ensure nothing like that could ever happen again.
A group of us were discussing SolarWinds, Uber, Clorox, and a couple of others just last week when my best friend (who has been a CISO since before it was an official title – and I suspect since Fred Flintstone was a toddler) told a CISO and mutual friend, “If you think it can’t happen to you, you haven’t been paying attention.”
The New Reality for CISOs:
Coupled with the high levels of stress and burnout among our fellow professionals; it’s little wonder why the best and the brightest among us are increasingly leaving the profession. The growing threats to organizations (and individual careers) are reflected in the high turnover rate of CISOs – with tenures now averaging less than 26 months. In Fortune 500 companies, about 24% of CISOs have been in their current position for less than a year. And it is not lost on my colleagues and me that, despite the exploding unmet demand for cybersecurity expertise (there are, as well all know, now 3.5 million unfilled cybersecurity jobs, with more than 750,000 of those positions in the U.S.), the role of CISO has become more precarious and perilous than ever before.
Your New Remit: Do more with less, faster, and cheaper while proactively anticipating and responding to more diverse and devastating cyber-assaults than anyone has ever seen. And that’s when “its” not hitting the fan. This has become our new normal – and what we now call a typical work week.
Faced with increasing threats and responsibilities, CISOs must operate under the mantra of 'doing more with less.' The role has become both precarious and crucial, with high turnover rates and short tenures becoming common. However, amidst these challenges, there lies a silver lining.
Opportunity is Knocking
The good news is that the best of our profession is flourishing in this rapidly evolving threat landscape. A recent report from CSO Online highlighting the current state of compensation for top cybersecurity talent in various organizations shows that there is considerable opportunity for CISOs who are willing to evolve their capabilities.
The research conducted by security analysis firm IANS, in collaboration with headhunting firm Artico, shows that the top 25% of earners in cybersecurity now receive an average cash compensation of approximately $523,000 per year, with total compensation reaching around $640,000 when including equity; an explicit acknowledgment of their value. According to the report, this compensation spectrum varies by specific roles, with CISOs at the higher end of the scale. Perhaps as importantly, these Cybersecurity Leaders are increasingly invited to integrate cybersecurity strategies with broader organizational goals – earning CISOs “a seat at the table.”
The report underscores that aligning cybersecurity efforts with the organization's broader needs has become a key focus for leading CISOs. Specifically, providing monetizable benefits to the organization, facilitating cost-savings, improving accountability and the efficiencies of developers – and, perhaps most importantly, providing best-in-class security – is increasingly setting the top-tier Cybersecurity Leaders apart.
The Pivotal Role of CodeLock in Cybersecurity Leadership
Becoming a standout CISO in today’s digital landscape means leveraging the right tools and strategies. While there's no one-size-fits-all solution, adopting advanced, cost-effective technologies is key to enhancing your cybersecurity posture.
Enter CodeLock: a groundbreaking, AI and Machine Learning-driven SaaS platform tailored for DevSecOps. CodeLock offers real-time software security monitoring right at the code level. It's versatile, available for both cloud and on-premises deployment, and features an intuitive compliance dashboard. This dashboard empowers managers to effectively track, audit, and safeguard their software development processes. Moreover, it provides critical metrics to optimize the Software Development Lifecycle (SDLC), enhancing overall performance without compromising the efficiency or quality of your development team's output.
What sets CodeLock apart is its dual focus on enhancing both security and operational efficiency. It stands as a cost-effective solution that aligns with the latest software development security regulations, such as NIST 800-215. By implementing CodeLock, organizations can save substantial time and resources, potentially reducing up to 10,000 hours of labor and over $950,000 annually.
Customization is at the heart of the CodeLock platform. It's designed to adapt to your specific needs, offering management alerts through various channels like SMS, dashboard notifications, or automated calls for any unauthorized code introductions. Additionally, CodeLock integrates seamlessly with existing Security Operations Center (SOC) systems and can be tailored through Business Decision Rules or Robotic Process Automation (RPA) / Intelligent Process Automation (IPA) for enhanced response mechanisms.
CodeLock's unique capabilities have not gone unnoticed. Esteemed platforms such as TechCrunch, Forbes, Barrons, and ITPro have recognized it as a transformative solution in the cybersecurity sphere. Gartner has also recommended CodeLock as an integral component of the SDLC process. This platform has earned accolades from CISOs, CTOs, and CIOs across various industries, with one leader commending its unparalleled ability to tackle SDLC challenges. In an unprecedented acknowledgment, the U.S. Department of Homeland Security (DHS) has said: “CodeLock appears to have the capability to stop the most sophisticated criminal malware. With respect to cyber-attacks from hostile nation-states, CodeLock would also be effective.”
Looking Towards the Future
The evolution of the Chief Information Security Officer's role in the modern corporate world underscores a vital truth: technical expertise, while essential, is only part of the equation. The contemporary CISO must also be a strategic leader, adept at navigating complex organizational dynamics and ever-changing regulatory landscapes. In this rapidly expanding digital frontier, success hinges on a blend of technological proficiency, strategic insight, and business acumen.
Recognizing this multifaceted challenge, we are excited to introduce "Next Level Leadership for CISOs" – a comprehensive program designed to elevate your skills and prepare you for the highest echelons of cybersecurity leadership. This 16-week course, requiring just 90 minutes of your time every Friday, offers a unique opportunity to deepen your understanding of business strategy and executive decision-making in the context of cybersecurity.
This course is tailored specifically for CISOs, focusing on strategic management, economic analysis, and leadership skills critical in the cybersecurity domain. You'll engage with real-world case studies, cutting-edge theories, and industry-relevant curriculum in technology management, corporate finance, and ethical leadership. Moreover, you'll join a network of peers and industry leaders, sharing challenges and ambitions, further enriching your learning experience.
A highlight of the program is the Capstone Project, where you'll apply your learnings to simulate real-world cybersecurity and business scenarios. This practical approach ensures you not only gain theoretical knowledge but also the ability to apply it effectively in complex decision-making situations.
Key Course Details:
- Duration: 16 Weeks of Intensive Learning
- Format: Weekly 90-minute sessions blending theory and practice
- Exclusive guest lectures from industry experts
- Tuition: $2,300 [Complimentary for all CodeLock customers!]
By the end of this course, you will have gained a comprehensive understanding of the broader business landscape, significantly enhancing your ability to lead and make informed decisions that align cybersecurity strategies with overarching business objectives. This program is not just an investment in your professional development; it's a pivotal step towards becoming a CISO who not only protects digital assets but also drives business growth and innovation.
Enrollment for the "Next Level Leadership for CISOs" program is open now, with classes commencing on March 1, 2024. Take this opportunity to redefine your role as a CISO and join the ranks of the cybersecurity elite.