A survey of CISOs and their job roles by an executive search firm reveals interesting findings:
The 2022 Global CISO Survey finds that the 5 functions that are often reported to CISOs have remained the same year over year but the strong presence of application/product security as a regular part of the CISOs’ mandate was a new development in 2021 and has clearly maintained priority in 2022. The survey, carried out by the US-based executive search firm Heidrick & Struggles, examining both organizational structure and compensation for CISOs, listed the most common functions that CISOs get to handle as:
- Security operations
- Governance, risk and compliance
- Penetration testing
- Security architecture
- Product or application security
- Business continuity planning or disaster recovery
The survey report said: “Those areas of responsibility are aligned with the most significant threats CISOs say their companies are facing. We are seeing cybersecurity becoming more and more embedded in core software development and business processes, with the most sophisticated cyber programs getting ahead of threats and taking a ‘security by design’ approach across the board.”
Among the CISOs who responded to the survey, 87%, were in global roles (ranging from a high of 100% in Asia Pacific and the Middle East to a low of 84% in Europe).
GROWTH IN TEAM SIZE
The survey also found that team size, on the whole, grew compared with the previous year and the share of CISOs with the very smallest teams dropped from 38% to 31%, and the share with the largest teams rose from 18% to 21%. “Growing team sizes reflect the increased investment this role has from the board level and shows the need to recruit world-class talent and bench strength for the CISO. Larger teams may, over time, reduce burnout – a key concern among CISOs,” the survey found.
Ransomware attacks accounted for 67% of the most significant cyberthreats that CISOs faced, followed by insider threats (32%), nation/state attacks (31%), malware attacks (21%), malware-free attacks (3%) and other attacks (7%).
REPORTING LINE
The survey revealed that nearly two-thirds of CISOs report to someone other than the CIOs, the same share as last year. Only 8% report directly to the CEO, a decrease from last year’s 11%. “However,” says the report, “reporting lines vary markedly by region and, in our experience, industry. For example, in financial services, the CISO still largely reports to the CIO or CTO, but in many cases the CISO, or parts of the cyber organization, reports to the risk organization or ‘second line’. In many instances, we are seeing creative solutions that involve CISOs having both hard- and soft-line reporting relationships, to the audit committee, for example.”
The findings maintain that the importance of the role of the CISO continues to grow as digital technologies become even more prevalent, hybrid working remains the norm in many industries, and concern about cyberattacks, specifically ransomware, rises.
BURNOUT, STRESS
The survey also covered the personal risks CISOs face in their role. And the responses have been unique. It was found that there is burnout and stress associated with this role, and the survey suggests that lead organizations should consider succession plans and/or retention strategies so that CISOs do not make unnecessary exits.
The second aspect is that CISOs feel relatively secure in their jobs as job loss as a result of a breach was not the highest risk. “That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk,” says the survey.
The survey also examined the roles that successful CISOs would like to handle as they grow in an organization. A majority of the CISO queried on this wanted to be something other than a CISO. “More than half want to be board members, though the shares vary regionally, from a high of 56% in the United States to a low of 40% in Europe,” found the survey.
WHAT BOARDS NEED TO HAVE
The survey findings point to the fact that cybersecurity experience is sorely needed on boards, given the risks companies face. In Europe, only 5% of seats filled on boards in 2021 were filled by people with cybersecurity experience of any kind. In the United Kingdom and the United States, the figures were 10% and 17%, respectively.
Says the survey report: “Despite an increased focus and investment in cybersecurity, as evidenced by growing compensation and team size and evolving reporting relationships, we are seeing that interest is still not resulting in board memberships for those experts. In the future, we expect more companies to consider adding CISOs to their boards.”
The survey also mentions that outside of board roles, CISO career progression remains tricky. Though 38% of CISOs globally report to the CIO today, only 13% see that as an ideal next role. “The wide range of next steps CISOs are interested in highlights that this is an evolving role, one where the next move still isn’t clear,” says the survey.
The report covered organizational data from respondents in the United States, Europe and Asia Pacific, and compensation data for respondents in the United States, the United Kingdom, and Germany. The CISOs who responded to the survey came predominantly from the United States. Australia, Belgium, France, Germany, the Netherlands, Singapore, South Korea and the United Kingdom. More than two-thirds of the CISOs were at companies with an annual revenue of $5 billion or more, and they worked across a range of industries, most often financial services and technology and telecoms, followed closely by industrial, manufacturing, and energy and consumer, retail, and media.
OTHER ROLES FOR CISO
More than half of the respondents, prior to their current role, were in another CISO role. “This reflects a broader trend that CISO roles are often terminal – the career path forward for CISOs is most often to another CISO role. If we include executives who were functioning as the CISO without that title, 70% of the CISOs moved laterally into their current role,” says the report.
The survey found that in the United States, median cash CISO compensation has risen to $584,000 in 2022, up from $509,000 in 2021 and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000. New CISOs (those who have been in their role for less than a year) generally saw the highest rises in overall compensation, no doubt reflecting the increased fight for top talent in all sectors and functions.
The United Kingdom saw similar trends to those in the United States, says the report. The reported median cash CISO compensation in the country has risen to £318,000 in 2022, up from £306,000 in 2021.
__________________________
Read More:
