2024 has been dubbed “the year of the CISO”, but it’s far from a celebratory label. This year, security leaders in the C suite face a tougher balancing act than ever before.
2024 marks a new era for CISOs, with increasing legal concerns, compliance requirements, and board-level scrutiny adding to the significant pressures that already accompanied the role - security threats, talent shortages, and burnout, to name just three.
In October 2023, SEC charges against the SolarWinds CISO changed how many security leaders think about their roles, knowing, as they now do, that their personal liberty is potentially on the line. They’re faced with two choices - evolve to meet these growing challenges, or face the (extremely unattractive) consequences.
What will the evolution of the CISO look like? Let’s look at 4 ways the role will change in 2024.
4 ways the role of the CISO will change in 2024
1. The SolarWinds charges will raise the stakes
Salaries, performance bonuses, and reputations are no longer the only things at stake for CISOs - as evidenced by the SolarWinds charges, their liberty is potentially on the line, too.
Regulators are making clear that, just as CFOs must fairly present their company’s financial position, CISOs must state the material truth of their cybersecurity posture.
The Uber CISO's conviction showed that leaders must be transparent about breaches. Now, the same applies to policies. If CISOs claim to have access restrictions and a secure software development lifecycle, they better actually have them.
The best CISOs will share as much information as possible with the C Suite, and use that information as a driver to get more budget, more tools, and more headcount.
2. CISOs will look for better-resourced teams - or go elsewhere
CISOs, knowing they might have to take the fall for security failings, will demand a robust cybersecurity budget, headcount, and tooling - or find a company willing to provide them. And many smart CISOs will turn down positions where they expect to be underresourced.
This is backed up by data in the 2023 Voice of the SOC report, in which practitioners at VP and CISO levels responded to the question, “What could your current organization do to retain you?”
While compensation is undoubtedly a factor (36% of respondents agreed), a better-resourced team was by far the most common response - 49% desired more modern tools with advanced capabilities, and 45% wanted a larger headcount.
3. CISOs will demand the attention of the CEO
Security leaders will become louder voices in the C suite in 2024. CISOs will bring more issues to the board’s attention or risk committee, forcing the entire company to accept the risk rather than shouldering it alone.
We can also expect more cybersecurity issues to escalate to a boardroom issue. The chain of command may shift, too, as CISOs who currently report to a CIO or CTO look for a direct line to the CEO.
One piece of bad news - these added layers of reporting and responsibility may initially slow the pace of innovation as companies catch up to the new security standard.
4. CISOs will embrace automation
CISOs will turn to automation to help them respond to the problems of underresourced teams and insufficient security posture.
Regardless of whether they can secure huge budgets for the year ahead, CISOs can use automation to do more with their existing teams and stacks.
Security leaders can use automation to achieve faster recovery from incidents, quickly improve their security posture, and make existing tools work more efficiently, while also boosting job satisfaction across their team.
Of course, most security leaders are already aware of this. According to the 2023 Voice of the SOC report, 48% of respondents at VP and CISO level believe that 50% or more of their work can be automated by software. But the events of 2023 will prompt them to kickstart - or level up - their automation journey.
Thomas Kinsella also hosts The Future of Security Operations, a weekly podcast that finds him interviewing security leaders at companies like Elastic and Reddit.