CISO Roles Face Growing Pains as Boards Shine Spotlight on Cyber
Chief information security officers (CISOs) are in a conundrum. They are facing both anxiety and opportunity in 2024, which a new report attributed to reduced cybersecurity spending, increasing breaches, the rise of generative AI tools, and stricter cybersecurity rules that emphasize disclosure requirements. While CISOs have the chance to take on more leadership roles at the organizational level, many do not have the business management skill set at the ready to take on those challenges.
The State of the CISO 2023-2024 Report from IANS Research and Artico Search surveyed more than 660 CISOs and conducted in-depth conversations with more than 100 CISOs to better assess the challenges and opportunities in front of today’s cybersecurity leaders. But the report found that the weight of current conditions is out of balance with new expectations arising from regulations and growing CISO accountability.
While 76 percent of CISOs come from a mostly technical background, where risk management is often secondary, CISOs today are being called to serve as a business risk function, prioritizing business acumen over purely technical skills, the report said. This disconnect is driving job dissatisfaction, which rose compared with 2022. As a result, 75 percent of CISOs were considering a job change (compared to 67 percent in 2022), which indicates most CISOs are looking for job conditions to improve.
“The evolution of the CISO role over the past few years has accelerated dramatically,” says Nick Kakolowski, research director at IANS. “More CISOs are being asked to step into larger roles in the business, taking on more risk, and orgs haven’t figured out how to support and empower them as the scope of the role grows.
“The most obvious reason that CISOs are looking for new jobs at a higher rate than normal is purely economic—2023 was a slow year for hiring as orgs were cautious in a tight economy,” he continues. “However, we’re also seeing CISOs become increasingly frustrated by increased expectations and pressure, in an already demanding role, without commensurate changes to budgets, organizational support, or compensation packages.”
Although the new CISO role is being treated as a C-level position, just 20 percent of CISOs reported that they are at the C-level in their organizational hierarchy. In 63 percent of cases cited by the report, the CISO role is a vice president- or director-level position, and 90 percent of CISOs are at least two organizational levels removed from the CEO. Two-thirds report into a manager in a technology function, such as the chief information officer or chief technical officer, further removing them from a business-centric reporting line and insights into organizational leaders’ risk outlook.
“There’s a lot of pressure on CISOs right now as the market corrects to new expectations. But, at the end of the day, this pressure represents a new opportunity,” Kakolowski says. “It’s a seat at the proverbial table that CISOs have been fighting for. These are growing pains, and I won’t diminish that the challenge facing businesses and CISOs is very real, but we could look back at 2023 as a positive turning point for the industry.”
The findings noted that traditional CISO role characteristics—such as a heavy focus on technical skills—may no longer meet organizations’ needs in the current and future risk landscape, giving CISOs an opportunity to argue for their place in the C-suite. This will be a challenge for many CISOs, especially because only 2 percent said non-cyber skills and domains were key during their pre-CISO years. The two dominant career paths to CISO jobs are technical (76 percent) and risk/compliance (22 percent).
Although technical-backgrounded CISOs earn more, a lack of leadership skills can come back to bite them.
“CISOs need to be able to communicate effectively with their board in order to meet reporting requirements, improve budget alignment, and push for clear risk tolerance guidance,” the report said.
To achieve that, CISOs need business acumen (comprising the skills needed to speak about risk in the board’s language, financial literacy, and the ability to frame risks in terms of economic risk or opportunity costs, instead of technical vulnerabilities) and executive presence (the ability to be persuasive, direct, and decisive in interactions with leadership; includes skills such as storytelling, situational awareness, and an understanding of the board’s roles and responsibilities).
“Many CISOs have been siloed by the business, with their skills development focused on technical capabilities and team leadership,” Kakolowski tells Security Management. “Accelerating executive skills development is critical.”
In addition, he says, “The importance of executive presence is a constant refrain. That ability to style shift, adjust messaging, and contextualize the security team’s work within the larger business strategy continues to become more important for CISOs.”
Skills development can also be financially rewarding. Two-thirds of CISOs surveyed for the research report have completed or are in the process of completing formal leadership training courses or one-on-one executive coaching programs to boost their business acumen and executive presence. CISOs who participate in such programs have higher pay—exceeding the salaries of those who have not completed a leadership skill development program by more than $200,000.
“There’s a lot of variability in the industry,” Kakolowski explains. “The CISO role is still defined very differently by businesses. In some orgs, CISOs have significant executive exposure and have had opportunities throughout their careers to build the business-centric skills needed in today’s market. In others, CISOs have been shuttered in the back office with business executives being unreceptive to risk guidance coming out of the cyber division. The CISOs who are most confident in this changing environment are the ones who have significant board exposure, gone through the growing pains of learning how to communicate at the board level, and built strong partnerships with the rest of the management team.”
Those essential business skills enable CISOs to communicate more effectively with boards of directors during quarterly updates, tabletop exercises, and other meetings. Half of the CISOs surveyed said they engage with their board quarterly; but for 25 percent of CISOs, board access is limited to just once or twice per year, 12 percent meets with the board on an ad hoc basis, and 13 percent have no engagement with the board at all. CISOs at the director level are least likely to have quarterly recurring board engagement (26 percent engage with the board quarterly, compared to 60 percent of executive-level CISOs) and are therefore less likely to gain insights on the board’s risk tolerance.
The majority of CISOs surveyed said that boards should offer clear guidance on their organization’s risk tolerance for CISOs to act on, but just 36 percent found this to be the case.
“Our data points to a strong relationship between regular access to the board and stronger satisfaction for CISOs,” Kakolowski says. The report found that just 28 percent of those CISOs without regular board engagement are satisfied in their jobs compared to 57 percent with at least infrequent or ad hoc board contact.
“Individuals with regular access to the board tend to feel more connected to the business and believe there’s a stronger connection between business and cyber strategies,” Kakolowski adds. “Reporting to the board raises the stakes for CISOs, but it comes with real rewards when the relationship between the CISO and the board is strong.”