008: The No. 1 Reason Most Security Leaders Fail (and How to Fix It)

Read Time: 5 Minutes
Read on: monicatalkscyber.com
Read previous newsletter editions

***

The average tenure of a CISO is 18 months. For the last seven years, I have worked as a CISO/CSO/security leader for three key types of organisations.

1. Firms that provide critical infrastructure to banks, insurance companies, etc., i.e. vital for the global economy.

2. Agencies responsible for providing not only digital health services to the public but also managing health crisis such as the Covid-19 pandemic.

3. Digital services company providing critical infrastructures services to multiple sectors such as finance, health, energy, etc. i.e. critical to healthy functioning of the society.

I've been fortunate to serve businesses of great economic and societal importance, and grow massively in all my CISO roles. Last year, I was awarded as the No. 3 CISO in EMEA.

While, I've truly enjoyed my CISO journey, in all those years, I have also heard many security leaders and CISOs worldwide complain about stress and burnout. Over time, the burnout rate has only grown and become more evident. But it’s not the long hours that are causing them to experience burnout. It’s things like the lack of support, the lack of mandate, the inability to negotiate, and more. Burnout at the workplace is as real as it gets. Burnout among CISOs is even more common than you can imagine. The number 1 reason CISOs quit so fast is burnout.

In 2023, Gartner predicted that by 2025 nearly half of security leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.

Here are the top 5 Reasons why CISOs and security leaders struggle and what you can do to avoid burnout (backed by studies and research):

Mistake No. 1: Inability to Negotiate

CISOs often complain about not having enough budget. Many rarely meet their boards. Many serve as a one-person security team. I get it; it sucks. But don’t wait for all these things to be handed to you. Won’t happen. You need to learn how to negotiate.

❌ Don’t have a seat at the table?

✅ Give massive value to your business stakeholders, and then negotiate getting a seat.

❌ Don’t have enough budget?

✅ Showcase how your investment will create business, and then negotiate getting the budget.

❌ Don’t have enough people?

✅ Showcase how you execute your vision more efficiently, and then negotiate getting people.

For desired state, there are 3 key things to do:

1. Create leverage.

2. Find a win-win.

3. Negotiate.

I teach my entire 7-step negotiation process in detail in my security leadership masterclass.

Mistake No. 2: Misunderstanding Accountability

Responsibility and accountability are not the same. You know what they mean in English. But do you truly understand the difference between accountability and responsibility?

As security leaders, you must align the security program with the business' goals.

Security's mission is not different from the business's mission.

You are responsible but you are NOT accountable. Accountability lies with the board. With rising liability issues, especially from recent SEC cases, by all means go get yourself some legal advice and protection, as this is not legal advice. But, at the same time, also create a security strategy that clearly defines and describes responsibility vs. accountability. Document it, align it, approve it, and be transparent with your stakeholders. Share the message one more time than one less time. This difference is so damn crucial. Understand it yourself. Get your executives to understand and adopt the same thinking and way of working. That is a part of your job as a security leader.

Not sure how to align with your executive team or implement your strategy? Enroll in my leadership masterclass for instant access to learn how.

(Again, it needs to be said, for the legal aspect, ask a lawyer.)

Mistake No. 3: Trying to Build Rome Security In 90 Days

The "90 Days" plan is a great way to build relationships, lay the foundation you need to succeed in your role and show your credibility. Yes, you need a 90-day plan. It should guide your strategy and its execution in your cybersecurity program. But...

It's a fallacy to think you can fix security in 90 days.

Even your superhero security leadership skills won't build security in that time.

Do you need to show progress? Yes.

Do you need to show that you can do this? Yes.

Do you need to provide value to the business? Yes.

But no one expects you to build or fix security in 90 days. If they do, you’re probably in the wrong place. Negotiate these terms already in the interview. Before you sign the contract, clarify these. Don't set an unrealistic goal.

When you join, set out a clear vision, a realistic target for the short term and long term, and make provisions for your team and your stakeholders to be able to pivot if need be (e.g., regulatory changes, new business demands, etc.).

Mistake No. 4: All Strategy and No Execution, or the Other Way Round

As a security leader, it’s not enough just to have a vision. It’s also not enough to be a doer.

I have talked to hundreds of CISOs. I have interviewed the top global security leaders, the crème de la crème. They are the most effective and influential.

They all have one thing in common. They switch between the T seamlessly. What the heck do I mean by that? They are at the horizontal of the T. They are visionary leaders. They drive their team toward that vision. They can understand, communicate, and have a bird's-eye view. They can also switch to the vertical end of the T. This means they can roll up their sleeves and talk to the tech teams. They ensure their strategy is not just on paper. They make sure it gets implemented. They take charge during a crisis. They manage it and the communication between the execs and the tech teams.

The best security leaders know when to be where. They can switch seamlessly between the two ends of the T-leadership.

Mistake No. 5: Not Investing in Leadership Skills

If you want to be treated like a leader, you need to become a leader. If you want to feel like you belong in the C-Suite, you need to behave like someone with caliber and influence. If you want to get a seat at the table, you have to act and do things that are worthy of getting a seat at the table. None of these things will happen just because you are an “expert” in cybersecurity. But all these things have one thing in common: they are traits of a great leader.

Do some people who are absolutely horrible leaders still get to that place of authority? Sure. But do they survive for long? Not necessarily, especially not in the cybersecurity world. If you don't invest in learning to be a great leader, your chance of success as a security leader is very slim. As a leader, you must learn to manage people. You must inspire, communicate, and negotiate. You must be empathetic to stakeholders. You must also lead in all directions, among other skills. How do you get there? I teach that in my masterclass. I've seen security leaders struggle. They're cybersecurity experts, but not leaders.

Title, salary, and position don't make you a leader. Being a great leader does.

That's a wrap. Let me know which of these mistakes you've been guilty of and which lessons you'll apply in your career journey going forward.

***

Where Do You Go From Here?

Great careers are not built by accident. Great careers and lives aren't built by chance. I'm here to help you grow your career and your life on your terms.

If you want to skill up, break into security leadership or 10x your career /business as a (security) leader, consider joining my flagship Security Leadership Masterclass (Instant, On-Demand and Lifetime access). Say what others are saying.

In this masterclass, I show both aspiring and current security leaders how to take the leap from concept to effective and influential security leadership with ease, proven frameworks and tested methodologies. You'll learn not only from me but from condensed knowledge from 12+ other global and highly successful security leaders providing you knowledge, framework and expertise of 50+ years combined in just a matter of few hours. Click here to get started today.

Here's what you'll get:

✅ My entire 10x manual on how I went from hacker to security leader in just 4 years.
✅ Real insights and actionable advice from industry leaders on 'How to 10x in Security Leadership'.
✅ The 10x framework I and other global leaders have used to become effective and influential leaders with proven, actionable and no bs tips.
✅ Lifetime access to full interviews with all top 10+ leaders to look back at whenever you need them in your journey.
✅ Lifetime access to full LIVE masterclass session along with one FREE 1-1 leadership coaching session with me (worth $300 for FREE) to help you create a custom plan for your security leadership journey and achieve your outcome.

***

–– Monica Verma

Follow me on Linkedin, Instagram, Youtube or Book a 1:1 Call

Wish to 10x your career or your business in AI, Cybersecurity or Leadership, on your terms?

Whenever you are ready, there are 4 ways I can help you... (↓):

1. The 10x Circle: Leadership Masterclass: The first MASTERCLASS ever on 10x security leadership with a cumulative of 50+ years of experience from me and top 12+ global security leaders. IT IS OUT NOW. Join today to get lifetime access.

2. 10x Your Career: I went from a hacker to a CISO in just 4 years and continued my journey as a leader. Through many calculated risks over time, I built my career and life at my own terms and conditions. So can you. Book your 1-1 coaching today.

3. Your Step-by-Step Guide to Break into Security Leadership: Here's your chance to become break into a security leadership role and make an impact. This Ultimate Guide is a cumulation of 20 years of experience, my journey from hacker to leader, synthesized in an easily consumable format with practical tips and tools to help you get your break and 10x your career. Join now if you wish to break into security leadership.

4. 10x Your Business: Are you tired of talks full of jargons and sales? Do you hear to hear a lack of storytelling, engagement and clear messaging? I am a professional keynote speaker and a storyteller, helping businesses demystify artificial intelligence, leadership and cybersecurity with engaging storytelling. Excited? Learn more to book me as your speaker today or sponsor the The Monica Talks Cyber podcast show to get your message across to 30K+ audience.