Chapter 1: Cybersecurity as a Leadership Essential

Promoting and supporting cybersecurity has evolved into a fundamental aspect of effective leadership. Despite its importance, the brief tenure of Chief Information Security Officers (CISOs) remains a pressing concern. Regular research indicates that their average time in position hovers around two years, while insights from my personal network suggest it could be as short as 30 months for many. This trend often signals deeper issues and represents a significant barrier to the advancement of cybersecurity initiatives within larger organizations.

Beyond the usual culprits—such as inadequate resources, a disconnect from upper management, and the relentless demands that lead to burnout—lies a critical factor: the profile of the CISOs themselves. While some organizations thrive, others struggle with management inefficiencies. It is increasingly hard to conceive of a company where executives and board members are oblivious to cybersecurity risks, especially given the extensive media coverage and the persistent wave of cyber incidents over the last decade.

Indeed, questions regarding appropriate cybersecurity spending have shifted from “Why spend so much?” to “Are we allocating enough?” In this new landscape, CISOs who find it challenging to secure necessary resources should reflect on potential missteps. More often than not, the underlying issue stems not from budget constraints or ineffective communication but rather from an overly technical approach to their requests and the trust that senior executives place in their ability to carry out proposed actions.

It is crucial to remember that the CISO role rarely originates from the boardroom; typically, it emerges organically from technical backgrounds. Over the last ten years, many senior leaders have witnessed successive CISOs presenting ambitious plans that require substantial investments in technology, only to see them depart after a few years with minimal results.

Effectively addressing cybersecurity in large organizations is inherently complex, spanning multiple corporate silos, particularly when maturity levels are low and significant transformations are required. Such endeavors demand time, determination, and unwavering commitment.

While board members have grasped the “when-not-if” mindset surrounding cybersecurity for years, CISOs must recognize how this shift alters the agenda for senior executives. Cybersecurity is now perceived not merely as a risk—an event that might or might not occur—but rather as a critical aspect of business protection. Consequently, executing protective measures has become imperative.

However, many CISOs are ill-equipped for the management challenges that accompany this transition. They often interpret the “when-not-if” concept as an inevitability of breaches and view their value as limited to immediate tactical responses rather than fostering enduring protective practices across their organizations.

This disconnect between CISOs and senior management is concerning. Executives are open to substantial investments in cybersecurity, but they expect a clear rationale, credible execution, and tangible protective outcomes—not just continual demands for more technology, laden with jargon, every time a breach occurs.

Such dynamics create a cycle of frustration that leads to mutual distrust, reluctance to allocate resources, and ultimately, short tenures. The reality is that brief tenures contribute to long-term stagnation; accomplishing meaningful change within large organizations in just two to three years is nearly impossible. Often, initiatives remain unfinished, as new CISOs bring different priorities, and business needs evolve.

To break this cycle, the board must take charge and designate a trusted senior executive responsible for cybersecurity, driving the initiative from the top down with a long-term vision that transcends everyday operations.

Some board members might argue they lack the requisite skills for this undertaking, but this perspective is misguided. Cybersecurity transcends technology; it fundamentally involves cultural and governance aspects, with technology being just one dimension of broader organizational activities. Establishing effective governance from the top concerning cybersecurity is a leadership issue that rightly belongs on the board's agenda. This is the first step toward cultivating a culture of business protection across all corporate areas.

Middle management will respond positively when they see the right attitudes, messages, and examples consistently conveyed from the top regarding cybersecurity. Given adequate support, they are likely to align with these principles.

In conclusion, robust cybersecurity is synonymous with sound business practices; it safeguards the organization and its clients while fostering resilience. Advocating for and supporting cybersecurity initiatives has become an essential aspect of responsible leadership.

Chapter 2: The Path Forward

For further insights into Cybersecurity Leadership, subscribe to our newsletter. To learn more about developing a successful Cybersecurity Practice for your business, contact Corix Partners. Corix Partners is a specialized Management Consultancy Firm and Thought-Leadership Platform dedicated to assisting CIOs and C-suite executives with Cybersecurity Strategy, Organization, and Governance challenges.

An edited version of this article was originally published on Forbes on 19th May 2022 and can be found here.