The Security Person Who Stays

The average state CISO lasts under two years in the job. I read that statistic and felt it land in my chest like a dropped wrench.

Not because it surprised me. Because I've lived on both sides of that number.

When Virginia recently promoted their longtime CISO to the CIO role, the headline that stuck with me wasn't the promotion. It was the buried detail: this person had been in a state CISO role for more than a decade. In a field where two years is average, a decade is almost mythological. It made me think hard about what that kind of tenure actually requires, what it costs, and whether the people who leave fast are wrong, or just honest about something the stayers haven't admitted yet.

I came up through the Marine Corps before I ever touched enterprise security. The Corps has a specific relationship with tenure and institutional knowledge that civilian organizations rarely replicate. You rotate people constantly, by design. The theory is that broad experience produces better officers. The reality, at the working level, is that institutional memory walks out the door every 18 months and someone new spends six months learning what their predecessor already knew. The organization survives because the doctrine is written down and the junior enlisted stay longer than the officers. The mission knowledge lives in the sergeants, not the colonels.

State government security is the same dynamic, inverted. The political appointees rotate. The career staff stays. But in most states, the CISO role sits at that uncomfortable intersection of political appointment and technical execution. You're accountable to an administration that changes on a four-year clock while you're trying to build security architecture that needs a ten-year horizon to mature. That tension doesn't resolve. You manage it, or it manages you.

I've watched it manage people. Smart people, experienced people, people who knew exactly what needed to happen and couldn't survive long enough in the role to make it happen. The failure mode isn't usually incompetence. It's the opposite: clarity about what's broken combined with not enough runway to fix it. You see the gaps. You build the plan. The administration changes, priorities shift, your budget gets cut or redirected, and you're suddenly defending last year's strategy to a new audience that doesn't share last year's context. Some people fight through that cycle two or three times. Most people exit.

The ones who stay long enough to actually build something share a trait I'd describe as institutional patience, but that phrase doesn't capture the friction involved. It's not passive. It's active, grinding, daily work of re-explaining, re-justifying, re-connecting the technical work to the political priorities that just changed again. Every new administration is a chance to lose the thread you spent years pulling. Keeping it requires the same discipline I apply to long-position trading: you have a thesis, the market moves against you, and you have to distinguish between "I was wrong" and "the timing is wrong." Most people conflate those two things and exit positions, or jobs, that were right on the long timeline and just uncomfortable in the short one.

I finished my doctoral research on public sector cybersecurity governance while working inside the ecosystem I was studying. That dual position is awkward. You see things from the inside that the academic literature can't capture because the literature is built on what people are willing to put in writing, and the most important dynamics in state government security are never written down. The budget games. The inter-agency negotiations that determine whether your program gets real resources or gets paid lip service. The difference between a governor who actually cares about cyber risk and a governor whose staff added "cybersecurity" to the talking points because it polls well.

The long-tenured CISO navigates all of that and stays visible enough to matter without becoming so political that they lose credibility as a technical voice. That balance is harder than any certification exam I've ever seen.

Here's what I think actually produces tenure in this role: the ability to translate, specifically, to translate between the security reality and the political reality without lying to either side. Most security leaders are good at one direction. They can explain technical risk to technical people. They struggle to make a governor's chief of staff care about log ingestion architecture. The ones who figure out that translation, who can walk into a budget meeting and tell a story about risk that connects to what politicians actually lose sleep over, those are the people who get to stay long enough to build something.

Flying taught me a version of this. When you're in the air, there's what the instruments say and what the situation looks like out the window. Sometimes they agree. Sometimes you have to synthesize two conflicting pictures into one decision. State CISO work is constant instrument-plus-visual synthesis. The threat data tells one story. The budget tells another. The statute tells a third. The governor's priorities tell a fourth. Your job is to fly the airplane using all four inputs simultaneously and not fixate on any single one.

The promotion in Virginia is worth paying attention to because it signals something about how at least one state thinks about the relationship between security and technology leadership. Security-first thinking at the CIO level is not universal. There are states where the CIO role is primarily a procurement and project management function, where security is a compliance checkbox rather than a design principle. Putting a long-tenured CISO in the top technology seat says something about what the organization believes about how those disciplines should relate.

I'm not naive about what that transition requires. Moving from CISO to CIO means inheriting problems that security thinking alone doesn't solve. Procurement cycles, legacy system modernization, workforce strategy, the political reality of enterprise IT at state scale. Security people who move into broader technology leadership often discover that their mental models don't transfer cleanly. The risk calculus changes. The stakeholders change. The definition of success changes.

But the skill that made someone a durable CISO, that translation ability, that institutional patience, that capacity to hold a long thesis through uncomfortable short-term turbulence, those transfer. They're the foundation of any executive role in public sector technology, not just security.

Two years is the average because the job is genuinely hard and the support structures are often inadequate. The people who stay a decade aren't just tougher. They figured something out about the institution, about the politics, about themselves, that the two-year people hadn't solved yet.

That's worth more than any award. Though the award doesn't hurt.

Vault: [[HOME|Home]]

Related