Golden parachute clauses allow exiting executives to land on their feet.
Adam Neumann, the former CEO of WeWork, strapped on his golden parachute to walk away with $1.7 billion in stock, cash and credit.
That was Neumann's choice. Security executives might not have that luxury.
A golden parachute financially insulates an executive during a C-suite departure. With the possibility of breaches always hanging over the heads of CISOs, golden bullet clauses financially protect them from the fallout after an incident, according to Stuart Mitchell, head of information and cybersecurity recruitment at Stott and May, in an interview with CIO Dive.
Golden bullets won't entirely shield an executive from public scrutiny, but can alleviate the burden of blame. And if the fear of a termination becomes reality, a golden bullet clause would act as a bonus paid to CISOs leaving after a breach.
"Every time there's a high profile breach, business needs a fall guy," said Mitchell. If it's a high-profile business, "you get fired and [dragged] through the mud pretty publicly."
A golden bullet can cushion that dragging.
Neumann might have tarnished his reputation, but his golden parachute gave him a "pretty gentle landing" financially, said Mitchell, a luxury CISOs aren't always afforded.
Nearly one-third of CISOs suspect they would lose their job or receive "an official warning" due to a data breach, according to a Nominet survey of more than 400 CISOs.
If a CISO has a healthy budget and a fully-staffed security organization, then a CISO had all the resources necessary for solid protection. Directing blame on the CISO, in that case, would be justified. However, those circumstances are almost never a given.
Only 60% of CISOs think their CEO or president agrees with the certainty of a future breach, according to Nominet. Non-IT leadership can get wrapped up in liability defenses instead of pursuing security best practices or investments, which puts more pressure on CISOs to deliver with minimal resources.
Pay the price
It's easy for companies to scapegoat their CISO following a breach. These executives are in charge of maintaining a safe and sound network. But everyone in security knows cyber events are a matter of if, not when.
In Q3 2019 alone, there were more than 5,100 reported breaches, exposing 7.9 billion records, according to Risk Based Security research. By comparison, 2011 ended with just over 1,300 reported breaches and about 420 million impacted records in total.
Capital One's breach was reported in July, making it one of the six breaches compromising 100 million or more records between July 1 and Sept. 30 this year.
Even when breaches are inevitable, professionals still step into the "thankless job," said Mitchell. Unlike other C-suite members, like a CTO who becomes a "hero" when releasing a new product line, CISOs are "never really the hero, but people know when you miss."
"You can definitely be a villain," Mitchell said.
Senior leadership is most concerned with the implications a breach will have on their company's reputation, according to Risk Based Security.
During and after a breach, the PR modus operandi is typically singling out a fall guy — the CISO — despite the reality of circumstances, said Mitchell. There are individual aspects of a security program in which a CISO won't have direct oversight, yet they will still shoulder the blame.
"That's why if you can't stand the heat, get out of the kitchen," Andy Kim, CISO of Allstate's e-business, told CIO Dive.
Even with a tough exterior, there's plenty of mental health aspects that are dealt with in the CISO job, according to Mitchell.
The majority of CISOs, 91%, say they have moderate or high stress levels, according to Nominet. About 17% of CISOs rely on medication or alcohol to mitigate their stress.
"I know plenty of people that like the second in command job of being a deputy CISO or VP because sometimes it's more fun to be the prince than be the king," said Mitchell. "You're allowed to turn your phone off."
What's in a golden bullet
A golden bullet clause allows CISOs to consider their future and what's in the best interest of the business.
Golden parachutes are often used to attract executives, though critics warn they provide a moral incentive executives shouldn't need; organizations should already act in the best interests of their company without additional compensation.
The clause can also help protect a CISO's career.
"Ultimately you have to dust yourself off and humble yourself," said Mitchell. "You're always going to be walking around with that skeleton in your closet and you can't hide that information," especially from Fortune 500 companies.
If a CISO leaves, they will likely have to rebrand themselves, hiring personal brand managers to help. They can choose to leave with a substantial salary to support them while they "get dragged through the mud" until another public breach happens and people forget, said Mitchell.
Companies benefit from the contract clause too. If there is a golden bullet clause written into a CISO's contract, it more or less guarantees a CISO's focus remains on a breach's recovery, as opposed to looking for another job, according to Mitchell. "It also gives the company an agreement that they are allowed to make the CISO the fall guy."
This caveat helps alleviate criticism and concerns from investors and customers.
Today golden bullet-like clauses are usually "found in CISO appointments that are titular in nature," said Kim. Some boards don't know what qualities make an effective CISO and will appoint someone they're familiar with as opposed to a security veteran.
"There are many uninformed board of directors members who don't know how to select an effective CISO," said Kim. Fortune 100 companies usually have boards like this, hiring "their friend or [someone who] is a politically well-connected appointee."
But "a lot of that onus is on hiring and firing people and not trusting the right people or the wrong people," said Mitchell. Trust either falls between executive leadership and their CISO or the CISO and the rest of their security organization.
The cybersecurity industry thrives off a workforce of diverse and unlikely backgrounds. About 70% of qualified applicants hold a title that isn't necessarily security-specific, according to research from (ISC)².
CISOs "who know what they are doing aspire to this moment, when a breach happens," said Kim. "Marginal CISOs will simply resign."
Falling on their sword
Cybersecurity success can only be measured by silence — no breaches, no cyberattacks, no headlines.
A CISO's performance should be quantified by more than a singular event, according to Greg van der Gaast, head of information security at The University of Salford, in a LinkedIn post.
"I think a CISO should be measured by the improvements they bring, not a point in time. Bad things can happen even when you’re heading in the right direction," said van der Gaast.
Holding onto a publicly tarnished executive is a potential PR hazard. Terminating CISOs is, in a way, PR damage control, despite the tenure or experience of the executive.
Though removed CISOs have wounds to lick, their recovery career-wise is possible. Uber's former CISO Joe Sullivan — who was blamed for paying off hackers in a 2016 data breach — is now CISO of Cloudflare.
If a CISO performed their job to the best of their ability, without any major faux pas, and a breach still occurs, companies have to ask two questions, according to Mitchell:
- Would the business be in a better position if they paid the CISO to clean up the mess?
- Or, should the business conduct interviews for a new CISO, taking their eyes off the recovery?
Companies with very public breaches, including Home Depot, kept their CISOs or CISO-equivalent onboard.
Home Depot adopted the CISO title when it hired Jamil Farschi, who was later hired by Equifax. But Daniel Grider, VP of information technology, who was in charge of security, still holds his role.
Other companies don't fare as well. Yahoo had three high-profile data breaches between 2013 and 2016, before later disclosing their breach impacted three billion Yahoo accounts. In that time frame, particularly 2015, there was a revolving door of CISOs, though they left on their own volition.
Within six months in 2015, Yahoo went through three CISOs: Alex Stamos, Rames Martinez, and Bob Lord. Lord later left in 2018, and now Chris Nims, CISO of parent company Verizon Media, has ownership of Yahoo's troubled past.