One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over the long term. Transitioning to a more defensible security architecture requires persistence, engagement, and leadership commitment over several years, perhaps longer.

But, the more fundamental problem organizations often face is that when driving improvements things can start to look worse before they get better. I’ve talked about this recurrent pattern as an “uncanny valley” a lot. More specifically, this is a common root cause for much short term CISO turnover and the answer is often quite simple:

Let’s revisit my original post from 2020 on this topic, which sadly is still as relevant today as it was back then or in the early 2000’s when I first personally used the "don’t fire me chart".

________________________________________________

To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this is also a space where there is often impatience to get results fast. Sometimes this is workable, many times it is not. The end result, in a number of organizations, is constant turnover in the C-ranks (CISO, CTO etc.). Let’s examine why.

1.Issues (risks, incidents, etc.) are going up, so they hire or assign you to fix them.

2. You hit the ground running and find a bunch of quick wins and start reducing the number of issues. So far so good.

3. Then you start digging deeper, improving monitoring, risk assessments and other instrumentation: as a result you start finding even more (previously unknown) issues that need fixing. At this point management wonders why you have made the situation worse and decide they need someone new.

4. Then a new person turns up, applies the same method, typically reinventing/replacing what you did, and so the cycle continues. Often, given entropy and the usual net increase in risk, the graph keeps trending up despite the occasional downward move.

5. However, if you get the support from leadership and get to push through then you will hit a sustained lower level of issues. Many organizations have done this.

Bottom line: when you are new to a role or assignment, show people this last chart and remind them that things may start to look worse before they get better and that can be a sign of being on track. Show them the point where you don’t want to be fired.