freshidea - Fotolia
There's always talk about executive turnover after a security incident or full scale data breach at an organization,...
specifically the CISO position. Even in the case of relatively minor security incidents, security executives can be fired or reassigned. What are the options for CISOs after they are forced out or asked to resign? Can they get another CISO job? Do they stay in security, or are their credibility and reputation lost after such an incident?
CISOs get fired for many reasons. The obvious are due to poor performance, illegal acts, or personal or ethical behaviors that warrant termination. Many times, CISOs become collateral damage after a security breach. Due to their visibility of personnel system activities, they are sometimes terminated because they become aware of executive indiscretions or come across highly sensitive information such as executive compensation plans. Their job can also be eliminated due to budget cuts or because they fall out of favor with management. The list goes on but regardless of the cause, a termination for the CISO can be detrimental to his ability to obtain a CISO position elsewhere.
In most states in the U.S., employers are not prohibited by law from providing truthful information about a former employee's reason for termination to a prospective employer. Information former employers can disclose includes job performance, reasons for termination or separation, performance evaluation or opinion, knowledge, qualifications, skills or abilities, education, training or experience or professional conduct. They are not allowed to make misstatements or provide false information. The former employee has recourse in a defamation lawsuit in such cases. However, prospective employers typically will not share negative information obtained from former employers with the applicant.
In the event a CISO is terminated, he needs to decide whether or not to continue in this profession. There are many CISOs that are terminated or laid off that find another CISO position. To increase the likelihood of this, CISOs can:
- Ask during the exit interview if the former employer would refrain from providing a negative reference. It may not be positive at least it won't be negative;
- Become a business partner for business unit managers and executives. This will allow them to more easily provide a good reference;
- Get involved with professional organizations such as ISSA, ISACA and OWASP so that others in the cybersecurity field know him if another CISO position becomes available;
- Engage a professional recruiter that specializes in cybersecurity. Share all the details of the termination with him and strategize as to how he will present the CISO to prospective employers;
- Write articles or give lectures on cybersecurity to increase his worth to others outside of the company; and
- Build and lead his staff by example in learning, technical abilities and ethics. Their references will speak volumes to prospective employers.
The key to staying employed as a CISO is communication, especially with executive management. CISOs who perform their duties in a vacuum and rarely speak to or teach executives on the elements of information security or incident handling will find their job tenure in jeopardy when a real incident occurs.
Being a CISO is a rewarding yet challenging job. Those in cybersecurity say that a five-year tenure is about average for most CISOs, although clearly there are those who hold that position for many more years. So unless a CISO's termination was due to egregious and illegal activity, finding another CISO position elsewhere may not be that difficult.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out if it's necessary to have a cybersecurity expert on a board of directors
Learn how CISOs can help mitigate insider security threats
Discover how CISOs should handle cyberextortion
Dig Deeper on Information security certifications, training and jobs
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading