For chief security officers, the paycheck may be huge, but when a company runs into a security scandal, they can be one of the first to go.
The issue came to the foreground after reports surfaced earlier this week that Facebook Chief Information Security Officer Alex Stamos was leaving the social network in August. Stamos reportedly butt heads with Facebook (FB) management over how much the social network should disclose around Russian interference, as well as restructuring efforts to address such issues.
Facebook declined to comment on whether Stamos is leaving in August.
Stamos is just the latest in a string of chief information security officers, or CISOs, whose departures were spurred by major company scandals. When Equifax (EFX) announced it had been hit by a massive data breach last September, the public brouhaha forced the resignations of its chief information officer and chief security officer a week later. Stamos himself is no stranger to security dust-ups, having reportedly quit his job at Yahoo as CISO in protest in 2015 following revelations that Yahoo built software, in compliance with the U.S. government, that was capable of searching users’ email.
“For many [CISOs], it’s a zero-sum game,” explains Susan Etlinger, an analyst for the San Francisco-based Altimeter Group. “When things are going well, it’s not really newsworthy. When things go wrong, you become scapegoats. If you like predictability, I don’t think this is the career for you.”
Coincidentally, other CISOs have also recently made moves, albeit for different reasons entirely and not linked to scandals. Twitter’s (TWTR) chief security officer Michael Coates publicly announced via Twitter he was leaving the site to start his own security startup. Likewise, Google (GOOG, GOOGL) Director of Information Security Engineering Michal Zalewski also said he was leaving the tech giant after 11 years to join Snap (SNAP).
Chief security officers are easy scapegoats
While the average tenure of a CISO across all industries in the U.S. is 4.5 years, according to Forrester, that stint may shorten when it comes to Silicon Valley, simply because of the nature of the work. Running cybersecurity at a high-profile business such as Facebook, which has access to 2.1 billion-plus users’ data and is constantly pushing out new features, arguably has more potential pitfalls than doing so in many other places.
“Tech companies are the tip of the spear when it comes to security,” contends Jeff Pollard, a principal analyst at Forrester. “I think being a CISO at a tech company is definitely different than being a CISO in a different industry, primarily because you’re really dealing with talented people doing bleeding-edge work.”
While running security certainly makes the CISO a potential scapegoat when push comes to shove, on a day-to-day basis, there can also be a tug-of-war between what the CISO thinks is best for the company and what other executives want. For instance, enacting stricter security measures may contradict other executives’ plans for rapid user and revenue growth — a prerequisite for many businesses to succeed, particularly in an über-competitive, fast-moving industry such as tech.
If reports are true, it appears Stamos’ resignation came amid such disagreements internally at Facebook.
“For a CISO like Stamos who operates in that world, they have to protect the confidentiality of information, but their business is also using that, monetizing it and selling it to third parties,” explains Pollard. “In that scenario, you have to take a step back and ask yourself, am I comfortable with how data is collected? Am I comfortable with the kinds of organizations we might be selling this information to? Am I comfortable with how we’re disclosing information about data to users?”
If not, well, it might be time for a chief security officer to move on to the next opportunity.
More from JP