Do Cyber Pros Need Some Security of Their Own?

Cyber pros, it turns out, could use a little more security of their own.

At a time when cyberattacks are increasing in frequency, intensity, and sophistication, a new study suggests that the teams charged with protecting companies are themselves under attack. The study, by cybersecurity firm Trellix, found that in the year following an attack 13% of cybersecurity leaders reported staff reductions. From there the job losses only get worse, with the figure jumping to 23% by the third year and rising again to nearly one-third after three years. Experts say that in many cases, the chief information security officer—the public face of a company’s defense efforts—is among those fired.

While the study itself didn’t account for CISOs, there’s no shortage of news stories about CISOs who were fired after a security breach. Moreover, the study’s findings align with other research showing that the average CISO tenure is between 18 months and two years. Sue Ribot, Global Cybersecurity practice leader at Korn Ferry, says the study highlights the prevailing feeling among CISOs that “everything is on their shoulders.”

With nearly 70% of firms experiencing a cyberattack in the last 12 months, cyber leaders and their teams are increasingly being held liable for breaches—sometimes on a personal level—not only by their CEOs and boards, but also by regulators and investors. In an extreme example, one CISO was charged with fraud by the SEC for misleading investors about internal controls following a breach. Craig Stephenson, leader of Korn Ferry’s CIO/CTO practice in North America, says the heightened scrutiny has created a vicious cycle of hiring and firing that ultimately makes organizations unstable and more vulnerable to attack. It has also created recruiting and retention problems for companies. “CISOs are thoroughly assessing the risk to the company and themselves before taking a job,” he says.

Consider, for instance, that despite the prevalence of attacks, companies are cutting back on cybersecurity budgets. According to the security-budget benchmarking report issued in October, cybersecurity spending in the US and Canada increased by just 6% on average in 2023, down from 17% in 2022. “It’s still a challenge for CISOs to get the budget and talent needed to make the changes they want to make,” says Ribot.

Still, there are some experts who think CISOs and their teams are trying to deflect responsibility. Where should the cyber buck stop, so to speak, if not with the security team and its leader? Andrés Tapia, global DE&I and ESG strategist at Korn Ferry, likens failed CISOs to a CFO who has neglected to put financial controls in place to protect the company against losses. “It’s their job to defend the company,” Tapia says of cyber pros.

To be effective, however, cyber pros need the cooperation of their CEOs and boards, experts say. For her part, Ribot says CISOs need more elevated positions in the organization, along with more direct relationships with their CEO and board. The study found that in the aftermath of an attack, CEOs and boards are more likely to offer additional support to CISOs in the form of increased budgets, new security frameworks, or tighter integration throughout the enterprise, for instance. 

Alyse Egol, a principal in the Technology Officers practice at Korn Ferry, says that increasing support following an attack means that companies are being more methodical in figuring out what happened, where vulnerabilities exist, how to fix them, and who to hold accountable. “Companies are trying not to be so reactive,” she says. Often, a cyberattack provides the impetus CEOs need to reevaluate the entire security ecosystem, from where the CISO sits in the org chart, to the talent pipeline, to the support the CISO gets from key functions. “CISO can put in all the controls and programs they want, but if they don’t get buy-in from others, it won’t make a difference,” she says. 

For more information, contact Korn Ferry's Software and Platforms practice.

Read more This Week in Leadership articles