CISOs who leave after 2 years may not finish what they start

CISOs spend about two years in the role before moving onto the next company; selling themselves — and their organizations — short.

By contrast, Dave Estlick, who joined Chipotle Mexican Grill as CISO in December, spent nearly a decade at Starbucks. Few CISOs boast that length of time. The average tenure for a CISO is about 2.1 years, according to research from Korn Ferry.

The information security industry has a 0% unemployment rate, competition for talent is unrelenting — even in the C-suite. Job offers mount and CISOs leave before companies pressure them to transition to what Estlick would call the next curve in security, he told CIO Dive.

Dave Estlick, CISO of Chipotle, while speaking NRF in January

Retrieved from National Retail Federation

Like Estlick, there are exceptions to every rule, including cases of longer tenures. "We have seen some stickiness recently with stints of three or four years being more of the average," especially for CISOs who evolved product or physical security with sufficient support, Jamey Cummings, senior client partner for Korn Ferry's Technology Officers Practice, told CIO Dive.

For CISOs who move from eight to 10 businesses within 20 years, they've likely only had the opportunity to prepare their organization for the first transition in security and that's it, said Estlick.

A mini case study

When Starbucks launched its mobile app in 2010, it was known as the largest mobile payment program in the U.S. It was a haven for customers and bad actors.

In 2014, Starbucks acknowledged a security flaw that left stored customer passwords unencrypted. In 2015, hackers leveraged the app's auto reload function to steal funds. In 2017, a flurry of customers complained about more fraudulent activity.

The app's security went through several iterations before becoming a pillar of Starbucks' loyalty members.

CISOs' responsibilities evolve, depending on the threat landscape, new regulatory pains or digital transformation efforts. "This is definitely not a static space." Starbucks was responding to mobile security threats in real-time.

Now, Starbucks offers two-factor authentication and its app is a longstanding leader in the mobile platform ecosystem, reports CIO Dive's sister publication Restaurant Dive. It's even licensing its technology to other restaurants.

Starbucks' former CIO and current Chipotle CTO Curt Garner was Estlick's counterpart during the app's evolution. While Garner left for Chipotle in 2015, Estlick continued to weather the low points in security, a phase he expects in every job he takes.

Bowing out during transitions

CISOs are pressured to leave a dependable foundation for the next generation of security professionals. But there will always be unfinished tasks, no matter their tenure, said Cummings.

To better temper the expectations of a company, Estlick turns to math — specifically math based on the sigmoid function, a "mathematical depiction of a lifecycle," Estlick said.

The function, shaped like an 'S,' is segmented by periods of time: struggle, sustained growth, plateau and decline.

Estick repeats the 'S' curves in three transitions: build, strengthen and differentiate.

CISOs often leave before each transitional function is complete, according to Estlick. Most CISOs, he says, think there's only one transition in the overall cycle and then depart.

There is only a "handful" of CISOs who see the last transition — from strengthen to differentiate — all the way through, said Estlick. "Too many are moving either in that first phase or if they have gone through that transition, they only think that there's one transition in the overall life cycle."

CISOs that hold the average tenure are only given enough time to move from the build curve to the strengthen curve. "You can go back into the build curve and get really good at that and not be challenged," said Estlick.

Estlick learned that, usually around year six, one of the transitional phases to move onto the next curve appears. "Unless you sit in a role for an extended period of time, you don't know that the next transition is coming," he said.

Ideally, Estlick aims to compress the transition period between each curve. He called attention to the second curve's maturity standpoint. If he could transition to the differentiate curve by year four, it would expedite a company's path to be best in class.