The CISO made its first appearance as a member of the C-suite in 1995, and it’s been an uphill climb to full-fledged executive ever since.
More than half of global CISOs report to either the CIO, CTO or another senior engineering executive, while only 8% report directly to the CEO, according to data from Heidrick & Struggles.
But there are signs that CISOs are becoming more visible and taking on a greater leadership role as cyberthreats become more prevalent. With sophisticated threat actors targeting company operations and financial interests, nearly nine out of ten CISOs say they have a seat at the board table, either regularly reporting to committees or the full board of directors.
“Ultimately the visibility of a CISO boils down to how much the business values security,” said Ryan Davis, CISO at NS1.
If an organization embraces security, the CISO tends to be more visible and approachable across leadership and throughout the company. Conversely, if the security department is there just to check off a box for industry compliance, then the CISO is more likely to be a minor player and will lack visibility or authority.
What keeps CISOs up at night
In the end, it doesn’t matter what the C-suite thinks about security. If there’s any type of cyber incident, it is the CISO who shoulders that responsibility.
It's no wonder that the majority of CISOs say they are suffering from job-related stress and burnout.
CISOs are up against talent shortage and staff retention concerns, the increasingly sophisticated threat landscape due to software supply chain attacks, and geopolitical tensions.
“What keeps me up at night is the risk of having a very sophisticated threat actor that could potentially dwell and lurk within a network without notice for a prolonged period, exfiltrating data from the company,” said Steven Sim, Global CISO for a logistics MNC, president of ISACA Singapore and chair of OT-ISAC Executive Committee.
Sophisticated threat actors also concern Kemal Piskin, CISO with LinQuest. As security departments rely on technologies like AI to help detect and prevent cyberattacks, cybercriminals are leveraging the same technologies to launch attacks.
Remote work has its problems too — a blessing and a curse for CISOs. Cybersecurity professionals want to work from home, according to a survey by (ISC)2, which could have a positive impact on the talent shortage. But CISOs like Piskin see non-cyber workers as a challenge.
In an ideal situation, all remote workers would be well-schooled in cyber awareness and use a zero-trust framework and other security best practices. The reality is the true security of home networks and personal devices is unknown. This raises the risk of a cyberattack.
“Hackers get many attempts to get into your system. CISOs have one chance to stop them,” said Piskin.
Growing the CISO role
Many CISOs see their current role as a blend between technology and business. “I don’t spend most of my time worrying about security events, but rather how the business runs with security,” said Piskin.
Participating in conversations about business operations as part of the leadership team is how many CISOs want to see their role continue to evolve.
“I’d like to see security functions across organizations be defined and seen differently – both internally and externally,” said Jason Rader, VP and CISO at Insight Enterprises.
Just like everyone in the company bears some responsibility for keeping the business running, Rader thinks that CISOs should promote a similar approach about security. Everyone should play a vital role in keeping the organization secure.
“One slipup can be a gateway to bad actors and expose vulnerabilities that can be damaging, so everyone plays a part and needs to feel accountable,” said Rader.
However, security has been in a silo for a long time and changing that mindset won’t happen overnight. Even in organizations where the CISOs are in a position of high visibility and a true part of the leadership team, the role must continue to evolve so that the organization can keep up with the threat landscape.
The U.S. Securities and Exchange Commission (SEC) and regulatory bodies have increasingly mandated the importance of cybersecurity expertise, and that will also impact the changing role of the CISO.
“There’s definitely a long way to go,” said Rader. “It won’t happen by accident, and it will take effort and persistence. However, the payoff can be great.”