Lots of C-level executives deal with stress. Ciso stress however may be unlike most others. Poorly defined expectations, a lack of training for the role, and exclusion from broader strategic discussions can lead a CISO to drink.
In fact, a recent survey revealed a disturbing number of Cisos deal with work-related stress by consuming alcohol or other forms of self-medication.
The problem requires senior managers to change their views on the CISO role, according to Larry Whiteside, Chief Information Security Officer for Greenway Health. Whiteside is an inaugural member of Accellion’s CISO Advisory Board. He provides valuable insight into the challenges and opportunities inherent with the CISO role in general and the healthcare industry in particular. This blog post is the first in a series.
The fundamental problem involves expectations, or more specifically, the lack thereof. Whiteside notes it’s not uncommon for companies to hire a CISO without knowing what they want or need from the position. This is especially problematic in Whiteside’s industry, healthcare. “HIPAA mandates healthcare providers have a CISO and these organizations are hiring CISOs very quickly without understanding what they need from them or how to utilize them. If CISOs don’t know or understand what’s expected of them, how can they be expected to demonstrate their value?”
Senior management isn’t entirely to blame. As Whiteside sees it, CISOs often come into the role with no formal training. He sees new CISOs being promoted or hired into the role without really knowing what to do or how to communicate their function to their superiors. “Some CISOs are very technical and if they speak to the Board in terms of 1’s and 0’s, rather than dollars and cents, they’re going to fail; the Board understands risk, not technology.” Whiteside is a firm believer in mentors to help new CISOs navigate these uncharted waters.
For CISOs to succeed, Whiteside believes companies should avoid pigeonholing CISOs as cybersecurity or technology experts and instead include them in the operational side of the business. If CISOs are aware of what the business is doing and the decisions it makes for growth, they can make significant contributions, even when the operational issues aren’t in their area of expertise. More importantly, by involving the CISO in operational discussions, they are better prepared. “A CISO doesn’t want to hear about a $100m cloud initiative starting next quarter with the directive ‘make it happen.’”
Whiteside insists CISOs must be a year ahead of these kinds of initiatives. A CISO therefore should know every business unit’s strategic goals, particularly if they involve technology. With that knowledge, he or she can develop a timeline and plan that will allow the business unit to safely achieve its goals.
CISO stress is a big problem but a defined role with senior management and an active role with business units will not only mitigate much of that stress but also position CISOs for long-term success.