Survey reveals CISOs' mixed emotions and strategic opportunities amid cybersecurity challenges and shifting executive dynamics. (IT World Canada)
As the new year unfolds, Chief Information Officers (CIOs) and Chief Security Officers (CSOs) are grappling with a mix of anxiety and optimism, according to a comprehensive analysis conducted by IANS Research and Artico Search. The findings are encapsulated in the "State of the CISO 2023-2024" report, an 18-page document summarizing interviews held last fall with 100 CISOs from the United States and Canada. Additionally, insights were drawn from data collected from 663 CISOs in the middle of the previous year, covering topics such as compensation, budget dynamics, board engagement, and job satisfaction.
The report underscores the challenges faced by CISOs, including the economic downturn leading to reduced cybersecurity spending by companies, a surge in cyber attacks, heightened regulatory scrutiny, and the emergence of generative AI tools presenting both opportunities and threats in the realm of advanced threat detection and automation.
In the face of this rapidly changing landscape, the report suggests that the conventional characteristics associated with the CISO role may no longer be sufficient. However, it also sees this as an unprecedented opportunity for CISOs to advocate for a more prominent role in the executive hierarchy. The escalating security pressures on organizations, the report contends, provide CISOs with leverage to influence leaders beyond their immediate control.
Key findings from the analysis indicate a decline in CISO job satisfaction compared to the previous year, with 75 percent of CISOs considering a job change, up from 67 percent in the previous study. This dissatisfaction may be linked to a perceived lack of recognition, as only 20 percent of CISOs hold C-level positions despite 63 percent having VP or director-level roles.
Moreover, the report highlights the challenge CISOs face in seeking clear risk guidance from boards, with only 36 percent of respondents indicating that their boards provide explicit guidance on the organization's risk tolerance for the CISO to act upon. On a positive note, the report suggests that investing time in enhancing leadership skills through external training pays off, as CISOs who participated in formal leadership training or executive coaching programs earn over $200,000 more on average.
Addressing the evolving landscape, the report emphasizes the need for robust collaboration between CISOs and company leadership, including the board. It advocates for regular engagement, such as quarterly updates and tabletop exercises. While half of the respondents report such collaboration at their organizations, a quarter note limited board access, and 13 percent never interact with the board.
The report issues a warning that, for effective communication with the board regarding risk guidance and budgetary needs, CISOs must possess business acumen, understanding corporate strategy and financial statements, and executive presence, enabling persuasive and decisive communication with the board and C-suite. This advice is particularly crucial given the updated cybersecurity reporting rules by the U.S. Securities and Exchange Commission and the increasing exposure faced by CISOs in their roles.
