Source: Zhanna Hapanovich via Shutterstock
CISOs are increasingly being asked to assume the responsibilities of what would normally be considered a C-suite role, but without being regarded or treated as such at many organizations, a new survey of 663 security executives has shown.
The survey was conducted by IANS in collaboration with Artico Search, and polled CISOs on a variety of issues related to their jobs, their responsibilities, management support and other topics.
A full 75% of them said they are looking for a job change.
Expectations for the CISO Role Have Changed
The responses showed that expectations for the CISO role have changed dramatically at public and private sector organizations because, among other things, of increased scrutiny from regulators, and growing demands for accountability for security breaches.
As an example, the survey report pointed to rules like those adopted by the Securities and Exchange Commission (SEC) last July that require publicly traded companies to report all material security incidents within four days of the incident happening. Another example is the New York State Department of Financial Services (NYDFS) issuing new cybersecurity requirements for financial services companies.
"Regulators now hold CISOs accountable for transparency and even fraud on behalf of their organizations," the IANS and Artico report said. There is a growing expectation that the CISO will primarily serve as a business risk-management function, with a clear voice at executive leadership meetings and a direct line of communication with the CEO and C-suite. Yet, "despite the role expectations being elevated to C-Level, CISOs struggle to be viewed as such, and the CISO role is frequently not part of the senior leadership team."
The survey showed for example that while more than 63% of CISOs have a vice president or director-level position, only 20% are at the C-suite level despite having "chief" in their title. In the case of organizations with revenues of more than $1 billion, that number is even smaller, at 15%. From a reporting standpoint, a troubling 90% of CISOs are at least two or more organizational levels removed from the CEO and C-suite. Just 50% engage with their company's board on a quarterly basis. A quarter engage with the board just once or twice per year, 12% meet the board purely on an ad hoc basis, and 13% report having no contact with the board at all.
A Lack of Guidance for CISO Responsibility
In many instances, CISOs who want clear risk guidance from their board don't get it. Barely more than one-third (36%) described their board as offering them clear enough insight into their organization's risk tolerance levels for them to act upon.
"The evolution of the CISO role over the past few years has accelerated dramatically," says Nick Kakolowski, research director at IANS. With organizations digitizing more of their operations, CISOs are taking on more responsibilities and have become de facto owners of digital risk, he says. "[But] organizations haven't figured out how to support and empower them as the scope of the role grows."
Concerns have been growing within the CISO community in recent years about the escalating expectations around the role, even as their ability to meet those expectations has remained largely unchanged. Incidents like one last October where the SEC charged SolarWinds CISO Tim Brown with fraud and internal control failures over the 2020 breach at the company, and where a judge sentenced former Uber CISO Joe Sullivan to three years of probation over a 2016 breach, have fueled those concerns. While there is some debate about whether the actions against the security executives in these incidents were justified, many have argued that it is unfair to hold them alone accountable for the breaches.
Historical Bias Against Security As a C-Level Function
One of the reasons why many organizations still don't perceive the CISOs role as belonging in the C-suite is historical bias, Kakolowski says. "CISOs tend to be perceived — often unfairly — as techies who can't speak the business' language," he says, adding that they often tend to get siloed when it comes to skills development. Efforts there often tend to focus on technical capabilities and team leadership, rather than on executive skills development.
Some of it is also inertia. Large, complex organizations take time to adjust to new challenges and organizational shifts.
"The biggest challenge is the struggle to find alignment between the CISOs and the rest of the C-suite," Kakolowski says. "Business leaders are beginning to become aware of the risk of underutilizing CISOs as business executives, and there's an opportunity for CISOs to demonstrate their ability to offer value to the organization beyond the back office."
Elevating the CISO role to where it belongs, in the C-suite, can have many benefits, Kakolowski argues. Being part of top management gives CISO better awareness and visibility into where the organization is going, and makes it easier for them to collaborate with other stakeholders on digital risk-management.
"It positions the CISO to get ahead of risk, thereby reducing the friction that may come when mitigating risks," he notes.