olly - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can CISOs avoid executive turnover after a data breach?

The executive turnover at enterprises after a data breach is fairly high. Expert Mike Villegas gives some advice on how CISOs can avoid losing their job.

In the event of a data breach, enterprises tend to have a high executive turnover rate, which concerns me as a CISO. What are some ways to help ensure that I respond to an incident properly and avoid executive turnover?

There were more than a dozen major data breaches exposed in the month of November 2014 alone, including the Sony Pictures hack and an attack on the U.S. State Department.

The annual Cost of Data Breach Study independently conducted by Ponemon Institute and sponsored by IBM polled more than 250 organizations from 11 countries that participated in the 2014 study, including the U.S. The study stated the average cost to a company was $3.5 million in U.S. dollars and 15% more than what it cost last year.

Breaches are on the rise and so is the average cost per breach. But how does this affect the CISO's tenure? First, let it be understood that there is no such thing as absolute security. The mentality today is not whether an enterprise will be breached, but when.

Consider stolen cars. If some malcontent wants your car and if he is good at his trade, he will undoubtedly steal it. But when you put in a claim with your insurance company, they will want to know the circumstances of the theft, whether you informed proper law enforcement, whether you had reasonable controls in place, like if it was locked, had an alarm system, nothing of value was in plain sight and whether you had a LoJack or some other type of tracking device. If they find that you did not sufficiently mitigate the risk of your car being stolen, there will be a question whether your insurance company will cover its replacement.

The same applies for an enterprise IT environment. Chief information security officers need to deploy due care for the protection of critical information assets, but that is not enough. CISOs need to establish a sound incident response plan (IRP) and periodically test it. The IRP should be based on industry accepted incident response methodologies such as NIST 800-61. Once the IRP has been completed and approved by management, it needs to be tested at least annually using tabletop scenario exercises that include staff from IT, computer operations, information security, key business staff, HR, public relations and executive management. These tests then need to be reported formally to executive management showing the results and lessons learned from the IRP test.

The key to keeping your job as a CISO is communication and demonstration of incident handling in the event of a breach or other incidents that affect the company's ability to maintain proper security and mitigate risk. CISOs who perform their job duties in a vacuum and rarely speak or teach executives on the elements of information security or incident handling will find their job tenure in jeopardy when a real incident occurs.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

What's behind the growing trend of CISOs leaving their jobs? One of our experts explains.

This was last published in May 2015

Dig Deeper on Information Security Incident Response-Information