Chief information and security officers both have feelings of anxiety and see opportunity as the new year starts.
That’s the summation of the analysis done by IANS Research and Artico Search in their State of the CISO 2023-2024 report. It’s an 18-page summary of interviews conducted last fall with 100 American and Canada CISOs, plus data collected from 663 CISOs in the middle of last year on compensation, budget dynamics, board engagement and job satisfaction.
It notes pressures on CISOs include the facts that many companies are pulling back cybersecurity spending because of the economy, cyber attacks are increasing, regulators are breathing down the necks of companies, and the rise of generative AI tools offer new opportunities for advanced threat detection and automation, but also pose new threats in themselves.
“In this rapidly evolving landscape, traditional CISO role characteristics may no longer suffice,” says the report. “This situation gives CISOs an unprecedented opportunity to argue for a place in the executive ranks. Furthermore, the increased security pressure on organizations gives CISOs more ammunition to influence leaders outside of their direct sphere of control.”
Among the findings:
— Compared with 2022, CISO job satisfaction fell — a sign of unease with the status quo. The drop in satisfaction coincides with a growing share of CISOs considering a job change (75 per cent considering a change, up from 67 per cent in the previous study);
— This may have something to do with lack of recognition. While 63 per cent of respondents said they have a VP or director-level position, just 20 percent are at the C-level;
— CISOs seeking clear risk guidance from boards often don’t find it. Only 36 of the respondents said their board offered clear guidance on their organization’s risk tolerance for the CISO to act on;
— One bright spot: There’s evidence that spending time enhancing leadership skills through external training pays off. CISOs who engaged in formal leadership training courses or one-on-one executive coaching programs earn more, with a difference of over US$200,000.
The report argues that the U.S. Securities and Exchange Commission’s updated cybersecurity reporting rules, and the increased exposure that CISOs face, call for strong collaboration between the CISO and company leadership, including the board. That includes regular and recurring CISO-board collaboration in the form of quarterly updates, tabletop exercises and the like.
For half of the respondents, this is the case at their organization. However, a quarter of the respondents said board access is limited to just once or twice a year. Twelve per cent said they meet with the board purely on an ad hoc basis. But 13 per cent said they never see the board.
“Even among companies with annual revenue exceeding US$10 billion — most of which are publicly listed firms — just 60 per cent of respondents said they meet with the board regularly,” says the report. Director-level CISOs are the least likely to have quarterly recurring board engagement.
The report warns that for CISOs to effectively communicate demands for risk guidance and budget needs with their board, they need:
— business acumen, meaning the ability to understand corporate strategy and financial statements as well as the ability to frame risks in terms of possible economic impact on the organization;
— and executive presence, which is the ability to be persuasive, direct and decisive with the board and C-suite.