MapleSEC: How to stop CSOs from saying, ‘Goodbye’

Share post:

Increasing cyber attacks and the pressures COVID put on organizations is making chief security officers and their equivalents think of the unthinkable: Quitting.

In fact, Gartner believes by 2025/26, almost half of current CSOs will have left their job for another post, and of them, 25 per cent will leave cybersecurity.

Some call this The Great Resignation. Gartner calls it The Great Reflection, as infosec leaders reflect on whether they can find a balance between work and their personal life. Sometimes they conclude the solution is walking out the door.

With the current talent shortage, that’s not sustainable.

At this week’s IT World Canada MapleSEC security education event, two Gartner experts discussed what individuals and corporate leaders can to do halt this trend.

“Part of the challenge CSOs face … is you feel like you’re pioneering what you’re doing while you’re executing it,” said Geoff Crampton, an Ottawa-based Gartner executive partner. That’s in part because the CSO role is relatively new. Also, many CSOs have risen through IT positions, but today the C-suite demands members be business leaders, which isn’t a competency many CSOs have.

“You really have to sit down and figure out where are you going to invest your time, how are you going to invest your time, and what’s the most important place to put your time,” Crampton said.

Satyamoorthy Kabilan, a senior executive partner at Gartner and former director of national security and strategic foresight at the Conference Board of Canada, said CSOs should take a page from research done on others who face high-stress periods: First responders, such as police and firefighters, as well as emergency managers. One lesson: In an emergency, you can’t run 24/7 for a week, you need a team that can step in for you.

So he advises CSOs to build a team that can share duties in a crisis.

And sharing responsibility, he added, is a great motivation for others on the infosec team to stay with the company.

Meanwhile, corporate managers need to help take the load off the backs of CSO, said Crampton. “That starts with the organization understanding that cybersecurity is everyone’s responsibility. This is not a technical issue, this is not for one person to have to carry on their shoulders.”

The way senior management does that is by recognizing that cybersecurity issues are enterprise risk issues.

Gartner calls this the organization’s cyber judgment: Its ability to make risk-based decisions on a number of factors, including cybersecurity.

When an organization has good cyber judgment, Kabilan said, the CSO won’t be seen as “the blocker” of innovation. To do that, he added, the CSO has to understand the business’s needs.

Ultimately, Kabilan said, it’s up to senior management to decide if they have a great CSO — or a potential CSO — to make sure the organization develops and keeps them.

“We want CSOs to move from a role that prevents breaches to a leader that facilitates risk management,” Crampton concluded. “Second, we want to move from cyber risk being seen as a security problem to cyber risk as a business or organizational risk. Third, security can’t be seen as a roadblock. We want to re-frame that to ‘Security enables agile secure products and business operations.’

“If we can find those three reframings happening over the coming years, these positions will become much more supported in our organizations and [infosec] people will feel supported.”

The post MapleSEC: How to stop CSOs from saying, ‘Goodbye’ first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Costs from Global CrowdStrike Outage Could Exceed $1 Billion

The global tech outage caused by a faulty CrowdStrike update on Friday could result in damages exceeding $1...

CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike...

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways