A set of unique conditions has set the stage for the perfect storm, leaving more than 7 out of 10 Chief Information Security Officers (CISOs) thinking it might be time for a job change.
While global economic uncertainties, volatile financial markets, and budget slashings are unfolding, the cybersecurity sector and CISOs are once again under pressure. Impacted by the escalating and non-stop flow of cyber attacks and new regulations, CISOs’ roles are transforming in challenging ways.
IANS Research and Artico Search released the State of the CISO 2023-2024 Report, concluding that as 2024 begins, the state of the CISO reflects a duality of “anxiety and opportunity”.
Key Takeaways
- Most CISOs are unsatisfied with their current work environment.
- Pressured by increasing waves of cyberattacks, economic uncertainties, tech layoffs, and budget cuts, CISOs are being asked to do more with less.
- Amid the crisis, the role of CISOs is transforming from a heavy technical one to one that aligns with executive positions, responding to boards, stakeholders, and regulators.
- Still, innovation and cultural changes are opportunities to build upon.
Key Findings of the CISO 2023-2024 Report
The State of the CISO 2023-2024 report explored various aspects of the CISO role, including job satisfaction, job level, board engagement, compensation, budget dynamics, and background.
Over 660 security executives, including 100 prominent CISOs from across the US and Canada, participated in the survey, revealing that CISO job satisfaction levels are on a sharp decline.
While more than half of those surveyed said they are satisfied with their job, 75% are open to a change. As CISOs take on more executive roles and responsibilities, they are also facing C-suite level challenges, especially for those working in public companies and bound by regulations such as the new SEC rule. The IANS report explains where the pain points are found.
“CISOs seeking clear risk guidance from boards often don’t find it. Only 36% indicated their board offered clear guidance on their organization’s risk tolerance for the CISO to act on.”
Naturally, CISOs have a strong background and credentials in cybersecurity and technology, but this niche skill is no longer the only one required for the functions. The study concluded that those security experts who enhance their leadership skills through external training are finding rewards and are better compensated. However, it was also found that only 2% cited domains outside of cyber as key during their formative years.
The Transformation of the CISO Role
Ariel Parnes, former Head of the Israeli Intelligence Service Cyber Department and COO and Co-Founder at Mitiga, spoke to Techopedia about new regulations, digital infrastructures, cloud migrations, and the new CISO role.
“In the era dominated by on-prem data centers, the Chief Information Officer (CIO) was at the forefront of an organization’s digital strategy, with ‘information security’ as just one aspect of their purview.
“However, as companies increasingly move to the cloud, a significant portion of the responsibilities traditionally held by IT leaders is now being managed by cloud service providers.
“Despite this shift, the onus of ensuring security remains, and arguably grows in importance, under the ‘shared responsibility’ model inherent in cloud computing.”
Parnes added that the latest Securities and Exchange Commission (SEC) regulations on cybersecurity, along with their European counterparts, “are a clear indicator of the evolving role of the Chief Information Security Officer (CISO), as detailed in the recent State of the CISO report.”
“These regulations underscore a pivotal shift in the CISO’s responsibilities, aligning with the broader digital transformation landscape, notably the transition to cloud computing.”
The CISOs’ Challenges and Risk Quantification
Richard Caralli, Senior Cybersecurity Advisory, Axio, also spoke to Techopedia about regulation pressures and the many challenges CISOs face.
“Regulatory pressures will only increase from this point forward, and transparency about cybersecurity posture will become an expectation.
“CISOs will be expected to lead this transition, but success will be dependent on the degree to which they can balance organizational contributions with the independence that allows them to communicate cybersecurity gaps openly and honestly without retribution.”
Caralli said that the IANS report signals the elevation of the CISOs’ role to the level of other C-suite peers. “But this will not happen easily as most organizations continue to view the CISO’s role as primarily technical,” Caralli warned.
“A roadmap for the CISO’s transition is linked to the ability to integrate cybersecurity risk into the organization’s enterprise risk management ethos, where it is manifested and elevated alongside other risks — such as credit risk or market risk — which are monitored closely for potential impact on operations, revenue, and reputation.”
While Caralli agrees with the report when it suggests that CISOs must have a direct but independent line of communication with CEOs, C-suite, and boards, Caralli adds that this requires “careful navigation”.
“Organizational politics and influence as, for example, the formation of 10-Q and 10-K statements [SEC reports] are typically carefully orchestrated to be informative but not damaging to the organization,” Caralli said.
Caralli said that the CISO transition, which entails serving as a business risk function, is also challenging as it requires mastering skills related to governance, risk, and compliance.
“As the report suggests, only 22% of CISOs have these foundations before they elevate to the job.
“The situation facing CISOs in transition — and cybersecurity professionals in general — will get worse. Many CISOs may be unable or unwilling to make a significant transition away from their ‘technical safe space’ into an ‘executive presence’ as suggested by the report.”
Caralli spoke about the potential of risk quantification as a new “language” capable of bridging the technical divide between technology, cybersecurity environments, and enterprise risk management.
“CISOs would be wise to incorporate quantification into their skill set as a way to communicate cybersecurity gaps and investments in terms that other C-suite fiduciaries already use on a daily basis.”
Many experts have highlighted risk quantification merged with data storytelling in the past years as an effective tool for CISCOs to engage successfully with decision-makers, executives, and boards. As Caralli explains, sometimes it’s all about dollars and cents.
“Being able to demonstrate in dollars and cents the potential impacts of diminished cybersecurity on the organization’s bottom line is essential, as is the ability to convince C-level peers that strong cybersecurity can be a revenue-generator.
“For example, customers might be more willing to do business with organizations that respect their data security and privacy.”
AI in the CISO Life
Artificial intelligence, in particular generative AI, also positions itself to lead a new era, and that is not all good news. Top international intelligence agencies such as the GCHQ, the UK intelligence, cyber and security agencies are sounding the alarm on how cybercriminals will leverage AI.
But despite the evident danger the tech poses, IANS says it also represents opportunities for CISOs. The State of the CISO 2023-2024 report reads.
“The unprecedented rise of generative AI tools that offer CISOs new opportunities for advanced threat detection, automation, and adaptive defenses, but also pose new threats in themselves, as well as an expanded attack surface.”
AI can also help CISOs drive automated smart compliance as regional regulators like the SEC, the New York State Department of Financial Services (NYDFS), and many other international, federal, and state regulations emerge, bringing in stricter standards to the rules and disclosure requirements for both private and public companies.
However, when turning to AI, CISOs must walk a fine line as there are risks. Caralli shared some words of caution for CISOs regarding AI and automation.
“In the end, it is unreasonable for organizations to deploy significant levels of technology and automation — and a rapid rise of use of the cloud and AI technologies — without sufficiently and commensurately considering the risks of doing so, which are primarily managed by CISOs.”
Caralli added that CISOs need to transform their role in the organization. Still, the organization must also recognize the value of the CISO as “the gatekeeper of the technology and the automation engine that keeps the organization running and growing”.
“Until that happens — and while the CISO plays an auxiliary role — organizations are potentially overexposed to manageable and foreseeable risks that CISOs should have the independence to freely bring to their attention.”
Skill Shortages, Talent Gaps, and Mental Health
As Techopedia reported, skill shortages and talent gaps in the cybersecurity industry are concerning — with over 4 million more security experts needed to fill positions in late 2023. This job market trend is expected to continue throughout 2024 as tech layoffs and hiring and promotion freezing become the norm.
Furthermore, the burn-out that cybersecurity experts experienced during the pandemic and post-pandemic era has also shape-shifted and transformed into something much more sinister.
The January 2024 report of the Royal United Services Institute (RUSI) revealed that cybersecurity experts are being hospitalized (PDF) after dealing with the stress caused by ransomware attacks. RUSI interviewed UK security experts at the forefront of ransomware attacks and their aftermath.
“RUSI found that individuals were suffering from stress-related illnesses, alongside financial, reputational and social harm as a result of ransomware attacks.
“Interviews with victims and incident responders revealed that ransomware creates physical and psychological harm for individuals and groups, including members of staff, healthcare patients and schoolchildren.”
Transitions and Solutions
While the State of the CISO 2023-2024 report says there is a generally heightened level of anxiety among CISOs and a greater level of dissatisfaction with their job compared to 2022, it also reveals why some CISOs are happy where they are.
CISOs that are less interested in a job change express higher satisfaction levels in several key areas, including visibility with executives, career development, budget, and compensation. These areas align with the change the industry has been witnessing as CISOs become more aligned with C-Suite executive positions, moving beyond just highly advanced technical skill experts.
Parnes explained that the transition of CISOs is rapidly elevating the role of security leaders.
“The CISO’s role is not only expanding within the organizational hierarchy but is also becoming more outward-facing. In some instances, this shift is so pronounced that the CISO role is starting to eclipse that of the CIO.
“The dynamics of cloud computing are accelerating this change, demanding a new breed of security leadership that is agile, strategically oriented, and more integrated into the overall business strategy. This evolution reflects the increasing complexity and significance of cybersecurity in the digital age.”
For CISOs to be effective in modern risk management, they must be given the space to communicate with leaders and boards, participate in top-level decision-maker meetings, and work in a cybersecurity-rich organization. But it’s not just CISOs that need to change.
When executives can speak and understand the language of risk management and are willing to take threats seriously without gambling reputation and financial losses, CISOs will also be more equipped and supported to do their job. Without buy-in, budget, and proper compensation, cybersecurity only becomes a jaded work that eventually leads to risks, losses, and human impacts.
The Bottom Line
The role of CISOs has evolved, and their influence must spread horizontally and vertically across an organization to counter the never-ending multilateral cyberattacks, compliance risks, and privacy threats that affect a company.
But the transformation still has a long way to go. IANS research concluded that just 50% of CISOs engage with their board quarterly.
References
- State of the CISO, 2023–2024 Benchmark Summary Report (IANS Research)
- Ariel Parnes (LinkedIn)
- Mitiga Official Website (Mitiga)
- Richard Caralli (LinkedIn)
- Axio Official Website (Axio)
- The Scourge of Ransomware: Victim Insights on Harms to Individuals, Organisations and Society (RUSI)