You’re a CISO? That’s rough, buddy

Zuko commiserating that Sokka's girlfriend turned into the moon

I had the opportunity to speak candidly with several CISOs (Chief Information Security Officer) and CSOs (CISO plus physical security) at RSA this year. I heard lots about challenges, and it’s not surprising that the tenure is so short.

There’s a lot to unpack in the data behind those articles, but this is a product management blog so I’m going to focus on the differences between a CISO’s job and the product manager’s job. In short, it’s harder to be a security leader than a product leader.

This will be something of a hot take for my PM friends, but I think the number one reason is that Product gets more rope on suboptimal outcomes. It’s difficult to pin the blame when a product doesn’t work out. Often it’s hard to even say if the product isn’t working! Perhaps it was held to unreasonable expectations, perhaps it operates entirely in a squishy qualitative domain, perhaps it would have done better if Sales were differently compensated or Marketing had run a different campaign or Engineering had built a different design.

For some extreme examples:

Product leaders, like mini founders, are often able to pivot until the rope is truly gone. Their accountability is influenced by their ability to manage communication and relationships. As governance by the board is the startup’s accountability, so supervision by e-staff is product’s accountability. A capable leader can manage data and stories in both cases, within the bounds of reality, because the entire endeavor is a creative one. Building a new thing is inherently risky and prone to uneasy judgement calls.

The CISO on the other hand is operating in an almost entirely subjective domain, largely reactive to outside forces. The mission is impossible, organizational motivation is low, resources are poor, and success is uncertain. Failure on the other hand is very clear: on a breach or an audit fail, the CISO is probably gone. That firing may only be a sacrificial gesture from an organization with no intention to improve, or it may be a sincere attempt to increase security… but that distinction isn’t really relevant to the outgoing leader.

This set of challenges is then placed against a backdrop of the standard leadership fare. Planning and budgeting, maintaining systems, hiring and firing, customer meetings, and now the return of business travel. None of that measures up in difficulty to say, mining coal, but it’s still a drain on the individual’s resources.

Interestingly, while CISO tenure has been a subject of interest for several years, there’s very little data on Chief Product Officer tenure. It would be interesting to compare, this post might be invalid after all. Subjectivity in judgement cuts both ways.

%d bloggers like this: