First 100 Days of the New CISO: Expectations vs. Reality

The situation the new CISO finds on arrival is often different to what they were expecting, but who’s to blame?

A painfully recurrent complaint among Chief Information Security Officers (CISO) is the disconnect between what they were promised during the recruitment process, and the actual situation they find upon starting the job.

Indeed, it is quite common to hear freshly-hired CISOs blame their less-than-smooth transition into the role on “broken promises” (some explicit and some simply assumed) such as inadequate resources or insufficient attention dedicated to cybersecurity by key stakeholders.

This is a real issue, as it often results in CISOs not staying long-enough in the job to drive any real or lasting change, and leads to the long-term stagnation of the cybersecurity posture of many large firms and of the InfoSec industry at large.

There are several possible reasons for this disconnect between what a new CISO is told, and what they find on arrival:

It might be that the very stakeholders who supported the recruitment of the new CISO into the role are gone by the time the CISO starts. This is not uncommon within large organizations where people — and the priorities…