I used to think I’d like to be a CISO. Now that I’ve spent the past few years speaking with CISOs, I’m not so sure I’d want the job. CISOs have targets on their backs, they hold our data in their hands and I, for one, am thankful for what they do.
I’m convinced that the CISO job is one of the hardest, most thankless, and most stressful jobs on the planet. I know there are worse jobs out there - bomb squad, for instance. But there aren't many.
The forces arrayed against them are impressive. CISOs are judged by how well they protect their customer’s sensitive data. However, that data is worth more to attackers than it is to the business itself. A single medical record can be worth $1,000 on the dark web. So on a dollar basis alone, CISO’s are outgunned.
Add to that the fact that attacks can be carried out at very little cost to the attacker. The vast majority of attacks are automated and carried out at scale. A hit rate well below 1% still represents success to an attacker.
Every CISO I’ve talked to has acknowledged to me that they do not have enough budget to cover the threats of today, much less those of tomorrow.
Given the fact that the cost of attacks is scaling exponentially, and security budgets are scaling linearly, they know they will never, ever catch up. And still they do their jobs day in and day out, doing their utmost to protect their business and its customers.
And while I see a battle weariness, I do not see a loss of hope. They know that it is only a matter of time until there is (another) breach. They know they are the ones that will take the blame and yet they stand up every time, take responsibility, and forge ahead doing the best they can with what they have.
Every CISO I've ever met has been intelligent, pragmatic, seasoned by time and experience, tireless, and thoroughly professional. They are, without a doubt, the kind of person you'd want to have by your side and watching your back in a crisis.
So from all of us who benefit from your efforts - thank you!