WavebreakMediaMicro - stock.adob

The nature of the CISO role will be in flux in 2023

As cyber risk outpaces organisational defences, and cyber attacks and breaches cause more and more damage, the nature of the CISO role is entering a state of flux, according to a report

The role of the chief information security officer (CISO) is in a state of flux, with changing dynamics such as increasing levels of risk and threat, more stringent regulation and compliance, making a once niche role crucial to the modern-day enterprise, and altering the fundamental nature of the job.

That is according to a newly published report produced by Marlin Hawk, a global executive search and leadership advisory firm, which took the temperature of almost 500 of the world’s top CISOs in the Americas, Europe and Asia-Pacific (APAC).

Some of the most significant findings from Marlin Hawk’s third annual Global CISO research report include a shift in underlying qualifications, growth in internal hiring, and declines in CISO turnover rates.

“Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace,” said James Larkin, managing partner at Marlin Hawk.

“This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skillsets of communication, leadership and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”

The research found that the role of the CISO was becoming more industry-agnostic, with 84% of respondents having worked across multiple sectors, with the expectation that they bring more breadth of leadership to the role.

As such, 36% of reporting CISOs with a graduate degree said they had a higher degree in business administration or management, but this was actually down 10% on the previous report, and in contrast, 61% of CISOs now boast a higher degree in a science, technology, engineering or mathematics (STEM) competency, up 15% on 2021.

“I would say that you shouldn’t have the CISO title if you’re not actively defending your organisation – you have to be in the trenches,” said Yonesy Núñez, CISO at Jack Henry Associates, a provider of technology services to the financial sector, who was interviewed for the report.

“I also feel that over the last eight to 10 years, the CISO role has become a CISO-plus role – CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we’ve seen multiple CISOs that have done a great job with cyber security, fusion centres, SOC and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function.”

Kevin Brown, senior vice-president and CISO at IT services firm SAIC, added: “We have over 100 countries at this point with their own data privacy legislation, which makes doing global business in a compliant manner trickier than it used to be. As a result, in most organisations we’re seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing.

“CISOs have to be in the know on all priorities for these different sectors of the business, so they can take them into account when writing policies – it’s a more complex job than it ever used to be.”

Meanwhile, about 62% of global CISOs said they were hired from another company, indicating a slight increase in the number of internal hires – 38% compared to 36% last year. Job turnover rates were also declining, with 45% of CISOs having been in their current role for less than two years, down 8% year on year, although this is still quite high.

Marlin Hawk’s Larkin suggested that this may be the result of boards, regulators and shareholders demanding improved security controls, better risk management, and more people and departments focused on cyber, which means there are more options for internal succession as more people with the relevant skills start to appear across the organisation.

Read more about CISO challenges

“Now candidates are being internally promoted to the role of CISO from IT risk, operational risk management, IT audit, technology risk and controls, among others,” said Larkin.

“Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future-proof the information security industry as a whole.”

The high turnover rate among CISOs could reflect several factors, one of the more impactful of which is likely to be the fact that many CISO hires are made off the back of an incident, leading to fast-tracked decisions and possibly a lack of scrutiny and due diligence in the recruitment process. But there are other issues in play too, as Shamoun Siddiqui, CISO at US retail giant Nieman Marcus Group, explained.

“First, their skillset is not up to par, and they get quietly pushed out by the company,” said Siddiqui. “Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months.

“Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cyber security, but may not be forward-thinking enough to make it a priority.

“Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs.”

Given the current candidates’ market in which CISOs hold most of the cards, ensuring cyber leaders last longer than 18 to 24 months depends on a number of factors, said Larkin.

“Hiring managers need to address two issues when it comes to retaining their new and existing cyber leaders,” he said. “CISOs need to go through a more robust assessment process to test for longevity, commitment and cultural affiliation with the organisation. You need to be sure they are in it for the long haul and will do the right thing by the business. Then you need to ask yourself: how are we going to retain our number two, who has just missed out on the top job?

“Expanding their responsibilities, giving them board exposure and making them the de facto deputy CISO can all help. It is important to remember that the CISO may have been chosen by the board but not necessarily by the team. It is important to get them onside – and quickly.”

Marlin Hawk’s report also explored the perpetual diversity gap in information security, finding that the upper echelons of the profession remain majority white and male. Just 13% of the CISOs surveyed were women, and only 20% were people of colour. The path towards greater diversity in cyber leadership will be a long one, and requires a shift towards building a diverse pipeline at the earliest possible stage of a cyber professional’s career, said respondents.

Read more on IT risk management