9 ways CSOs lose their jobs

CSOs work hard to protect their enterprises and careers. Yet all that hard work can disappear in an instant. All that’s necessary is a little inattention, a false assumption, or perhaps following some misguided advice.

Are you planning to keep your job? Then learn the following nine danger areas to avoid.

1. Overconfidence

Hubris can result in early career destruction, particularly when unproven yet popular security solutions are deployed.

“This type of approach creates gaps in security, increases the risk of human error, and leads to a false sense of security among stakeholders — until something major happens, resulting in a catastrophic cybersecurity event,” says Steve Tcherchian, CISO at cybersecurity technology firm XYPRO.com.

Overconfidence can also lead to security complacency. “When individuals or organizations assume that their current security processes are sufficient, they fail to remain vigilant and can become vulnerable to new threats,” Tcherchian observes. As a result, security gaps go unnoticed and defenses become outdated.

Careers often derail when the security leader loses focus on essential tasks and becomes distracted by the latest tech and hot topics, says Richard Watson, global and Asia-Pacific cybersecurity consulting leader with business advisory firm EY. The result is the acquisition of lots of technology, adding unnecessary complexity and needless distraction.

The challenge posed by complexity is that it adds cost at a time where cyber budgets are falling under increasing scrutiny, and it can make an organization’s cyber defenses weaker. “As with all technology integrations, gaps can appear, and it’s precisely through those gaps that attackers can gain their advantage,” Watson notes.

To make matters worse, complexity can lead to a false sense of security, with organizations feeling confident they have the latest tech innovations defending them. Watson reports that EY recently conducted a study of 500 of the world’s leading organizations and discovered that the top security performers are embracing simplification and moving toward a single integrated platform approach.

3. Shortchanging GRC

Deploying a cybersecurity stack without including a formal governance risk and compliance (GRC) program can easily upend a career.

“This mistake is potentially devastating because it can impact many aspects of the business,” says Scott Hawk, CISO at wireless network services firm Velaspan. Without a solid GRC program, a security leader is more likely to overspend on technology, develop a false sense of security, miss critical components of their security posture, and create misalignment with other parts of the business.

A GRC framework ensures that risk management, compliance requirements, and governance are integrated into the organization’s overall strategy. “GRC will create a business-wide conversation around cybersecurity, which helps to set priorities and drive adoption.” GRC works to make cybersecurity a business enabler, Hawk says.

4. Failing to align cybersecurity with enterprise objectives

The biggest mistakes security experts make aren’t technical errors, miscalculations, or even failing to envision potential threats, says Richard Caralli, senior cybersecurity advisor at cybersecurity platform provider Axio. “The biggest mistake is the failure to understand and frame cybersecurity programs within their organizational context.” It’s also a potential career killer.

Cybersecurity exists, and should be executed, within the context of the enterprise’s mission, goals, and objectives. “Protecting what’s most important to the organization’s viability is what should drive cybersecurity priorities and investments,” Caralli says.

The ability to craft and execute a cybersecurity program that prioritizes the critical success factors the organization values is fully in the hands of cybersecurity leaders, he adds. “Failure to align cybersecurity efforts to organizational values creates an exposure that could result in misaligned investments, poor resource utilization, and generally poor cybersecurity outcomes,” he says.

5. Underemphasizing access controls

Many security leaders spend their time worrying about system backdoors without recognizing the threat posed by access permissions, warns Nitin Sonawane, co-founder of identity, security, and governance technology provider Zilla Security. “Identities are front doors into systems,” he notes. “Overlooking unsecured and misconfigured identities is a big mistake.”

Enterprises often fail to adequately manage the access permissions for former employees and contractors resulting in orphan accounts that can be exploited by threat actors. Meanwhile, active employees routinely accumulate access to sensitive systems and data as they take on new responsibilities during their tenure at a company. “Over-privileged identities create a greater risk in the event of an exploit,” Sonawane cautions.

Sonawane believes that the most effective way to manage identities is with AI. Most organizations today maintain HR applications such as Workday, Paylocity or BambooHR, which serve as a source of truth for every user’s business profile. When a transfer occurs, organizations usually expect the user’s new supervisor to decide which permissions the user should carry forward. “The new supervisor has the business context to make these decisions and AI can help them figure out what access is needed and what’s outside of the scope of their business function.”

6. Ignoring the human factor

The biggest mistake security leaders make is focusing entirely on technical solutions and processes, says Dan Lohrmann, field CISO at IT consulting firm Presidio. The biggest vulnerabilities come from the people side, he warns. “Security experts who underestimate relationships will fail.”

Lohrmann says that employees’ tendencies to attempt to go around controls and bypass established policies and procedures can lead to an array of insider threats. “It opens the door to people who are trying to do harm, or steal, and can cause reputational and brand damage in much the same way that a ransomware attack or other data breach can cause devastating damage,” he says.

Employees and other authorized individuals can be crafty, Lohrmann notes. “I’ve seen people sabotage excellent cybersecurity projects by using tactics like delaying actions — running out the clock — openly causing dissention on teams, fighting against leadership or stated organizational goals, taking unnecessary risks, or being incompetent or untrained,” he explains.

People can also change over time. “Some staff members, who were outstanding pros at one time with great resumes, are now burned-out or have lost focus because they are doing a side-hustle or have other distractions,” Lohrmann says. Rogue or careless users and/or contractors can also cause havoc.

Better hiring practices, including thorough background checks, can go a long way ensuring strong internal security, Lohrmann says. “So can noticing signs of burnout.”

7. Allowing abandoned data to linger

Stale data in cloud-based storage may be hidden and forgotten, but it can come back without warning to wreck a CSO’s career. “Leaving stale data poses significant dangers, ranging from security vulnerabilities to compliance issues, and it’s such an important mistake because it’s so preventable,” says Rich Vibert, CEO of data security software provider Metomic.

Unauthorized access is the prime concern, Vibert states. “Sensitive information contained in old files can easily fall into the wrong hands if access controls are not meticulously maintained and updated.” The risk escalates when former employees or external collaborators continue having file access.

Data breaches become more likely when attackers capture abandoned files, including personal information, financial records, or confidential business data, Vibert says. “These forgotten or unmanaged pieces of data often lack strong protection, making them attractive targets.” Furthermore, stale data can equip cybercriminals with valuable historical information, enabling them to craft more convincing phishing emails or social engineering attacks, thereby increasing the likelihood of successful breaches.

8. Not building a bridge to the business

Ineffective communication with nontechnical stakeholders can lead to misunderstandings and confusion, sowing distrust, lack of support for security initiatives, and growing challenges when seeking security budget approvals, says Jeff Orr, director of research, digital technology with global technology research and advisory firm ISG’s Ventana Research.

Orr advises using business terminology to convey critical security issues and their impact on business objectives. “Offer examples to help relate security concepts to business activities,” he says, advising CSOs to also bring clarity to security reports. “Review how security decisions can be related to business impact.”

9. Complacency

The biggest career-crippling mistake is believing that everything is under control. Such leaders place their faith in security projects and schedules, says Howard Taylor, CISO at security technology provider Radware. “They trust their fleet of industry certifications to protect their business from cyber villains.”

The last words after the enterprise has suffered an historic leak of payment transaction data: “We just passed our PCI DSS Certification.”