Cyber Breach Survivors Welcome: Why Firms Should Hire CISOs with Breach Experience

Let’s face it. No one likes to air their dirty laundry in public, especially if your job is in the area of cyber security. Be that as it may, research suggests that those who acknowledge and learn from their security breaches and share the insights could actually be a benefit to a company – not a liability.

I’d go as far as saying firms are better off hiring a CISO who has experienced an avoidable breach, as opposed to someone who hasn’t. As long as they’re not looking to repeat the same mistakes, there’s a lot to gain from someone who has bounced back from an incident that has occurred on their watch. It changes the way they think, feel and behave. Having already been through the experience, security professionals tend not to be haunted by the stress of regulation, the feeling of burnout, and they are more likely to share their learnings with others.

Insights

In partnership with Dr Chris Brauer, Director of Innovation at Goldsmiths, University of London, Symantec surveyed more than 3,000 cyber security leaders across the UK, France and Germany. Here are some of the things we found:

Cyber security professionals that have experienced an avoidable breach are:  

• 24% less likely to report feeling ‘burnt out’ 
• 20% are less likely to feel indifference toward their work 
• 15% less likely to feel personally responsible for an incident that could have been avoided 
• 14% less likely to feel ‘set up for failure’ 
• 14% more likely to share their learning experiences 
• 14% less likely to think about quitting their job 

You can view the full report here.

From my personal experience, I find that a potential hire at any level that has been through a breach and come out the other side is incredibly valuable. The top levels will learn a lot of crisis management in a real-life situation, leadership and how to keep a team focussed. The rest of the team will benefit both from the experience itself and from watching how their leaders respond (be it the CISO or the CEO). These experiences are ideally rare, but memorable and in my opinion character (and career) forming.

Anyone who wears the ‘been there, done that’ t-shirt is much more equipped and is less afraid of preparing for and managing future security issues. In short, there’s no need to hide previous breaches on your CV – even if you are a CISO.

Learn from Failure

“Failure is simply the opportunity to begin again, this time more intelligently,” said US car supremo Henry Ford. The only problem is, 54% of security leaders in our survey explicitly do not discuss breaches or attacks with peers in the industry. If everyone keeps their breaches secret, no one will ever learn from them. Often, when information is shared in the industry, by the time it’s scrubbed, sanitised and anonymised, it’s of little value.

On the dark web, people aren’t as tight-lipped. Criminals are all too quick to spill the beans in online forums about how they were able to expose vital company data. What the security industry needs is a trusted environment where knowledge transfer can take place for the betterment of all involved. But it also needs a culture that encourages this exchange of best practice.

Practical Steps

After speaking with industry leaders for the Symantec High Alert research, we’ve put together some advice to turn the challenges into opportunities.

Share learnings – Teams should take a more optimistic view of security incidents and learn from the attitudes of the people who have been through them.

Prioritise strategy – A more optimistic response to breaches also means taking a long-term and strategic approach to cyber defence. One of the best ways of doing this is through the adoption of a solution such as Symantec’s Integrated Cyber Defence (ICD) platform.

Discuss insights with peers – Individuals and the industry at large need to devote more attention to improving strategic and operational information sharing – not just tactical threat information.

Support from the top – Company boards must support these efforts and foster a more open learning culture for security teams.

Communicate in person – CISOs and security teams can help themselves, and seize the opportunity for driving positive change, by working closely and collaborating in-person with colleagues after an incident.