Author: Aaron Pritz– CEO, Principal Consultant, Co-Founder at Reveal Risk
The explosion in media coverage surrounding cybersecurity and privacy over the last few years has brought awareness of these risks and incidents to an all-time high at board and executive levels. Still, many question whether the commitments made in this moment of heightened awareness are “real enough” or persistent. Many companies still lump the information security organization into IT (which often has high expectations to cut costs and optimize headcount.)
The topic of “where the CISO reports” is a HOT topic within the industry and you can find hundreds of articles with strong opinions. The trend in larger organizations with higher risk awareness (financial services, healthcare/payer, consumer products etc.) has seen the CISO role move away from the CIO reporting structure (which had been the historical tradition for many companies) towards the CEO or other senior leaders.
In the latest edition of its “Global State of Information Security Survey”, PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Note, for the accountants reading this, the numbers don’t add up to 100% due to dotted line reporting.
Another trend: titles, levels and salaries have also been on the rise. “Salaries for Chief Information Security Officers (CISOs) at top European firms have topped €1m (£850,000) as the threat of data breaches grows.” according to executive search firm DHR International. However, on the exact opposite side of the spectrum, some senior leaders hunt for cut-rate or even part time CISOs for fractions of the going rate. This dynamic often creates a bigger mess for the next CISO to clean up behind them. CSO Online recently covered this unfortunate trend in an article by Ben Rothke
Average CISO tenure ranges from 12 – 48 months(as reported by Ponemon Institute, CIO.com, and many other sources).
This is the most concerning trend. Regardless of your field, you would have to acknowledge the disruption of constant leadership turnover with each leader pulling an organization in a slightly (or significantly) different direction. Why is the turnover unusually high? I’ve seen and heard the following root causes:
What does all this mean?
It means that for the near future, we will likely see a lot of different approaches as companies and boards continue to figure out the role of information security.
However, I think we are starting to see a light at the end of the tunnel. Recent trends suggest that companies beyond the Fortune 500 are starting to create CISO positions, upgrade their CISO role, and seek out broader skill sets. There isn’t a precise recipe or set of requirements for the perfect CISO (and most organizations probably couldn’t afford it if perfection was a reality). Therefore, I have developed my own Top 10 CISO Attributes based on what my experience shows is required of the CISO of today and beyond (in no particular order). This is what I look for when helping companies select their first or a replacement CISO:
If you are a CISO or an aspiring CISO, these 10 things can help you project yourself into the CISO of tomorrow vs yesterday. Tomorrow is already “today”so the quicker the industry can work though this challenge; the better positioned companies will be in this battle.
Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming. If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at info@revealrisk.com. More information can be found on www.revealrisk.com
Topics: cybersecurity, Leadership
View original article published on Forbes here
View original article on Forbes here