“The IT director constantly ignored the advice of information security, thought that he knew better, and while telling the board that we should improve, undermined my position by telling my peers to let me fail, as he just did not like what I did.
“This resulted in a complaint to HR against my director, for conduct unbecoming a director and also a breach of our corporate ethics policy. HR brushed it under the carpet. A month before my two-year employment period, where employment law would have protected me with unfair dismissal, I was dismissed.”
Another CISO, working in the US pharmaceutical industry, explained why he resigned after blowing the whistle on insider fraud following an M&A.
“There was a merger and acquisition with another bigger US company with a global reach, as this was a publicly traded business we had Sarbanes Oxley and SEC compliance which fell under my remit, as the parent organization's information security function was less mature than ours.
“There were a number of financial irregularities throughout the year, and while carrying out some analysis on data loss prevention, came across what looked like fraud and insider trading. One of these was a regional CFO, who I got on well with.
“The information was not conclusive, and after debating with myself for a week what to do, I passed on the information in confidence to the new CEO in accordance with our own policies (ethics, and whistleblowing). The CEO then forwarded on my confidential email to the person I reported asking what was going on, in which I straightaway received retaliatory action against me.
He resigned the day after, but four months later the company filed for bankruptcy, and later last year the old CEO and CFO were investigated by the SEC.
So, how do CISOs avoid getting the chop? Here are three tips:
- “Definitely know your scope, and your boundaries, plus where you can break [the business] and where you can add value”.
- “Understand the business and be clear what the priorities of the business are”
- “Try and make it real for executives. If they understand it and it challenges them, then you're less likely to be sacked!”
Sign up for Computerworld eNewsletters.