The CISO role has taken on greater prominence at a time when cyberattacks have become relentless and increasingly sophisticated, and millions of people continue to work from home. Couple that with a number of high-profile cyberattacks and greater regulatory scrutiny. CISOs are in high demand, and companies are willing to pay a premium to recruit and retain them.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
“The chief information security officer (CISO) has become a position of critical importance to companies large and small, in technology and in nearly every other industry,” according to a 2021 survey by recruitment firm Heidrick & Struggles. The survey of 354 CISOs also revealed that U.S. CISOs earned a median salary of $509,000 in 2021, compared with $473,000 in 2020.
CISOs who used to “focus on network security, firewalls, security policies and governance now also find themselves tasked with securing connected devices, devising identity and access management systems, implementing artificial intelligence and machine learning, as well as risk management, privacy, investigations and physical security, among other issues,” the Heidrick & Struggles survey said. “And they are doing so while managing ever-larger teams.”
Eighty-eight percent of boards of directors now view cybersecurity as a business risk, as opposed to a technology risk, according to a recent survey from Gartner.
There’s never been a better time to be a CISO.
“CISOs are certainly getting more visibility at an executive and board level and are more closely involved in product and strategy discussions,” said Andre Durand, CEO of cloud identity security software provider Ping. “As cybercrime continues to increase and companies face monetary losses or damages, the role of the CISO and security overall or critical to business success.”
Whereas CISOs often reported to an organization’s CIO, that is changing as the role has become more strategic and less about IT function. Sixty-one percent of the CISOs surveyed by Heidrick & Struggles report to someone other than the CIO.
In more regulated industries such as healthcare, the CISO may report to whoever handles risk and audit, while those who work in SaaS/cloud/tech companies tend to find themselves under engineering leadership/CTO or the COO, according to the Heidrick & Struggles survey.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“The CISO needs to be able to influence across organizations, and that’s the most crucial aspect here,” Durand said.
In terms of industries that recognize the value of having a CISO, those with financial, intellectual property or privacy risks are likely more in tune with the benefits that a CISO can bring to them, he said. But Durand added that “cybercriminals don’t discriminate based on industry verticals. All companies should seek to have some level of executive sponsorship around security for their business.”
Where CISOs are focused in 2022
Companies are continuing to migrate to cloud-based software and focus on security architecture and protections around those offerings. Because ransomware continues to be a huge cyber threat, trying to ward them off as well as the ability to recover from ransomware continues to be a pressing need, Durand said.
“Keeping the business available and able to withstand attacks from DDoS or Botnet attacks is critical to any digital business,” he said. “Overall, the industry continues to push towards a zero-trust model, and we see a substantial amount of effort ongoing in that area.”
Yet, companies still face challenges trying to keep up with the rapid changes in technology. This means “security teams need to be well-versed in the technology in use at a company to provide guidance around keeping that technology secure,” Durand said. “The talent pool of security professionals is also limited, [and] hiring and retaining that talent has been challenging regardless of industry.”
CIOs and CISOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders, Gartner said. The firm recommends that the responsibility for business decisions that affect enterprise security must be shared, and IT and security leaders should work with executives and boards of directors to establish broader governance.
“Having a CISO with board-level support and oversight in the boardroom could help bring visibility to technology risks each business faces,” Durand agreed. “A good committee is made up of diverse opinions and experiences, one of which I believe should be the CISO.”
Regardless of who the CISO reports to, they should partner and support the CIO, he said. “The CIO will have a continued responsibility to deploy and enforce security controls on the systems they are responsible for maintaining. CIOs, CTOs and CISOs should be closely partnered for the benefit of the organization.”