In today’s digital world, information security is a paramount concern for organizations of all shapes and sizes. With the growing importance of security and the fact that board members are also responsible for ensuring the proper level of risk (including cybersecurity risk), Information Security Officers have risen to board-level importance in many organizations.
However, as this role grows in scope and importance, it also introduces vast irregularity with the Chief Information Security Officer (CISO) role. A CISO’s job description can vary greatly across businesses and industries, but all have the core responsibility for their organization’s cybersecurity.
Even though the constants for CISOs are inconsistent, there are more changes on the horizon. “The largest and most impactful I see as far as changes go regarding the CISO role is responsibility and reporting structure,” says Arnel Manalo, VP & CISO, Evergreen Home Loans. “Sure, there are a ton of new regulations, new attacks, new technology and the like. Arguably, that is a constant and never going to stop.”
If CISOs picked a word of the year for 2023, it would likely be “more.”
They’re more technical
According to executive search firm Marlin Hawk, CISOs with advanced STEM degrees outpaced those with advanced business degrees for the first time. In fact, CISOs with a STEM degree rose by 15% from 2021 when it was evenly split between STEM and advanced business degrees.
This shift is a product of a more complex, and evolving, threat landscape. Today’s CISOs benefit from both technical background and a business-minded focus.
As businesses decentralize work and applications, face increased regulatory pressures, and craft proactive security strategies. CISO’s need to leverage their business acumen and technical skill and industry expertise become less pertinent. The ability to meet the demands of the role is more important than having years of experience in a particular industry vertical. Though, it is worth noting that in some more highly regulated industries, having a technical resource with industry experience can be a benefit.
They’re covering more ground
What was once a niche IT role has grown exponentially in recent years. CISOs are covering more ground in their organizations. Rather than being seen as a digital security guard, CISOs are charged with being organizational leaders and agents of change.
While defense remains at the core of the CISO function, they are also being asked to deliver on a wider variety of responsibilities. CIO Dive elaborates on the expanding CISO role that includes “areas such as engineering, business risk, operational resiliency, product design, and security and technology architecture.”
This broadening role takes CISOs out of a purely defensive security role and into important proactive conversations around designing, building, and implementing new technologies that support the growth of the organization. As Shamoun Siddiqui, CISO at Neiman Marcus Group points out, today’s CISOs are bridging the gap “that has historically existed between the two silos of information security and infrastructure.”
Arnel Manalo points to increasing regulatory requirements as part of the shifting CISO landscape, “[s]pecifically, the SEC proposed rules that will change disclosures about cyber incidents along with everything that goes along with governing and managing incidents. Some high-level specifics are filing them in their 8-K within four business days and provide updates quarterly and annually (10-Q and 10-Ks). These items alone beg the question that is commonly discussed, who should the CISO report to? Should the CISO be named a formal executive of an enterprise? Should they be specifically named and/or included on D&O policies?
From conversations amongst peers, the answers seem to come down into two positions. Either the answer is somewhere along the lines of, yes – they will be named a formal executive in where they report directly to the board and have that direct exposure to key stakeholders. That comes along with the full executive treatment as well. Others, I have seen, take the perspective to keep the CISO out of the boardroom and to specifically state that the CISO is NOT a decision maker and that someone or a group collectively are responsible for security related decisions. The CISO is a mere tool and expert to help provide perspective. Leaving the CISO out of the ‘cross-hairs’ of the weight and responsibility of fully owning an enterprise’s security posture.”
Yonesy Núñez, CISO at Jack Henry Associates, references the burgeoning “CISO plus role” that sees CISOs taking on engineering, physical security, operational resiliency, and product security among other duties as necessitated by their business. The diverse challenges a CISO faces has transformed the role making them transformational leaders in forward-thinking organizations.
They’re more in demand
“There is a positive shift happening in the CISO role,” according to Jason Hamilton, Director of IT Security at Cologix, “as businesses begin to recognize Information Security as a utility and cost differentiator, as opposed to the traditional perception as an operational expenditure.”
“The catalyst for this shift can largely be attributed to the highly publicized increase in cyber-crime, perpetrated by global hacker groups causing financial impact that cannot be ignored by any industry,” Hamilton continued. “The ripple effects have surfaced as necessary cyber insurance policies, broad regulatory compliance requirements, numerous state and nation-specific data privacy laws, and consumer demands, all requiring the guidance (and often the explicit presence) of a CISO to provide the identification, protection, and mitigation of cyber threats to the business.”
And he’s right, in 2022 ransomware attacks increased by 130%. We have not only experienced an increase in the volume of attacks but the type of businesses being targeted (Hint: It isn’t just healthcare and financial services) along with the type of attack has fundamentally shifted to cover operational interruptions in addition to data security.
The growing number of attacks and subsequent fallout led to more rigorous security requirements for organizations and made cyber insurance more challenging to obtain. In order to manage compliance across federal agencies and private insurance, organizations need a proactive and robust approach to cybersecurity, the kind of approach driven by a CISO.
With more attacks occurring in more organizations, the previously niche role of CISO has become more mainstream. CISO roles are no longer reserved for international organizations dealing with a high volume of personal data. In many cases, they are no longer reporting through IT or the CIO. Today a wide swath of organizations can benefit from an executive-level cybersecurity role.
As a side effect of increased risk levels, growing responsibilities, and more prominent roles within organizations, CISOs are now more expensive to recruit and retain. Not only is there an estimated shortfall of 700,000 cybersecurity professionals in the United States alone, but cybersecurity jobs also tend to have a high turnover and burnout rate.
It’s important to consider the current economic climate in conjunction with organizational need for executive-level security leadership. Drew Labbo, Principal and Owner of RMHG, shares, “[w]ith the current economic uncertainty particularly with inflation and the fed raising interest rates to slow the economy, some CISOs must explore avenues to do more security work with less budget and personnel, which means fine tuning their program’s priorities hopefully based on a risk analysis or cyber security compliance requirements.”
When budget and need are at an impasse, Labbo continues, “[s]ome CISOs have no choice but to delay, defer, or decrease information security operations to some degree, and I believe some CISOs may need to roll up their sleeves and get their hands dirty to keep the shop running.”
Finding the right CISO for an organization, getting them on board, and keeping them is no small task. Qualified candidates are expecting high compensation to compete with the market and that reflects the high-stakes nature of their work. This coupled with businesses moving into more conservative spending habits presents a significant challenge in the decision to hire a CISO.
Heading into the next year there are simply not enough candidates to fill the much-needed CISO roles. Businesses are more in need of this type of leadership than ever before given the threat landscape and the changing regulatory environment. Seems like a catch-22 for forward-thinking organizations. However, many are finding success with virtual CISOs (vCISOs).
A vCISO arrangement provides access to security professionals with extensive experience for a fraction of the cost of a full-time CISO. The addition of a vCISO can also bring with it access to a more well-rounded security team that a business may not need on a full-time basis.
If your organization is curious about how a vCISO can help improve your security posture, let’s chat.