Then, once a breach happens, someone falls on their sword -- and that someone is the CISO.
"If you're going to be a CISO in the near future, keep your resume updated, because you're going to be moving around for a few jobs," Cole said. "CISOs are like NFL coaches -- they don't go away, they just go from team to team."
"We've seen CISOs fired after a high profile breach has occurred," said Frank Mong, vice president of solutions for HP Security. "With the level of stress and risk taken on by CISOs today, there is a high rate of burnout. The role of the CISO is no walk in the park."
But there is a way out, said SANS Institute's Cole said.
New CISOs need to start by educating their boards about the relative costs of risks.
How much would perfect security cost? How much can the company actually afford? What risks is it willing to take?
"You have to understand the risk appetite of the executive team," Cole said. "Then you need to define clear metrics for security that they can understand."
Joining the board
There is one more step that corporate boards can take to improve security -- bring a security expert onto their board.
"I think we're going to increasingly see search committees looking for directors who can demonstrate particular technology competencies," said Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP.
Earlier this year, for example, Wells Fargo elected retired Air Force Maj. Gen. and commander Suzanne Vautrinot to its board of directors. At Air Forces Cyber, she oversaw a multi-billion dollar global cyber enterprise with 14,000 military, civilians, and contractors.
"This topic has become so important that in a few cases, we've even seen federal regulators encourage boards to add more cyber expertise to the board," said Jim Jaeger, chief cyber services strategist at Fidelis Cybersecurity.
If you can't beat them, join them
Becoming a member of a corporate board can be a great career move, according to Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP. Here's how to best position yourself for a directorship.
- Go back to school. It helps corporate directors to have a broader knowledge of business, and an MBA can help.
- Find mentors. "One of the best things you can do is seek out people who are already on boards for mentorship and guidance," Stegmaier said.
- Serve on non-profit boards. Non-profit boards are an opportunity to learn how to be a board member, and to network with other directors.
- Accept a supporting role. You might not be a director yourself, but by helping out you can get a sense of how boards work from the inside.
- Get a job outside of IT. To get on a board, especially a large public corporate board, it helps to have been a CFO, COO or CEO of a public company.
- But don't let your IT job stop you from trying. As cybersecurity becomes more important, some boards are willing to look at candidates with a narrower background.
- And don't let a minority background get in the way. Although corporate boards are still heavily dominated by the white male demographic, there's growing awareness that more diverse boards lead to better corporate performance. "And companies are starting to realize the value that women have," he added.
Sign up for Computerworld eNewsletters.