As the digital landscape has grown, the organizational need for cybersecurity and data protection has risen. A new study takes a look at where CISOs stand in businesses.The CISO role has taken on greater prominence at a time when cyberattacks have become relentless and increasingly sophisticated, and millions of people continue to work from home. Couple that with a number of high-profile cyberattacks and greater regulatory scrutiny. CISOs are in high demand, require CISO training and companies are willing to pay a premium to recruit and retain them.
CISOs who used to “focus on network security, firewalls, security policies and governance now also find themselves tasked with securing connected devices, devising identity and access management systems, implementing artificial intelligence and machine learning, as well as risk management, privacy, investigations and physical security, among other issues,” the Heidrick & Struggles survey said. “And they are doing so while managing ever-larger teams.”
Eighty-eight percent of boards of directors now view cybersecurity as a business risk, as opposed to a technology risk, according to a recent survey from Gartner.
There’s never been a better time to be a CISO.
“CISOs are certainly getting more visibility at an executive and board level and are more closely involved in product and strategy discussions,” said Andre Durand, CEO of cloud identity security software provider Ping. “As cybercrime continues to increase and companies face monetary losses or damages, the role of the CISO and security overall or critical to business success.”
Whereas CISOs often reported to an organization’s CIO, that is changing as the role has become more strategic and less about IT function. Sixty-one percent of the CISOs surveyed by Heidrick & Struggles report to someone other than the CIO.
In more regulated industries such as healthcare, the CISO may report to whoever handles risk and audit, while those who work in SaaS/cloud/tech companies tend to find themselves under engineering leadership/CTO or the COO, according to the Heidrick & Struggles survey.
Where CISOs are focused in 2022
Companies are continuing to migrate to cloud-based software and focus on security architecture and protections around those offerings. Because ransomware continues to be a huge cyber threat, trying to ward them off as well as the ability to recover from ransomware continues to be a pressing need, Durand said.
“Keeping the business available and able to withstand attacks from DDoS or Botnet attacks is critical to any digital business,” he said. “Overall, the industry continues to push towards a zero-trust model, and we see a substantial amount of effort ongoing in that area.”
Yet, companies still face challenges trying to keep up with the rapid changes in technology. This means “security teams need to be well-versed in the technology in use at a company to provide guidance around keeping that technology secure,” Durand said. “The talent pool of security professionals is also limited, [and] hiring and retaining that talent has been challenging regardless of industry.”
CIOs and CISOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders, Gartner said. The firm recommends that the responsibility for business decisions that affect enterprise security must be shared, and IT and security leaders should work with executives and boards of directors to establish broader governance.
“Having a CISO with board-level support and oversight in the boardroom could help bring visibility to technology risks each business faces,” Durand agreed. “A good committee is made up of diverse opinions and experiences, one of which I believe should be the CISO.”
Regardless of who the CISO reports to, they should partner and support the CIO, he said. “The CIO will have a continued responsibility to deploy and enforce security controls on the systems they are responsible for maintaining. CIOs, CTOs and CISOs should be closely partnered for the benefit of the organization.”
