Global executive search and leadership advisory partner Marlin Hawk have released the company’s second annual Global Chief Information Security Officer (CISO) Research Report. The report explores industry trends and insights of CISOs around the world, the challenges they face in a rapidly evolving cybersecurity landscape, as well as their role and place within organisations.
The report also analyses the role of the CISO regarding the short- and long-term impacts of the pandemic, perspectives on diversity, tenure, and succession, as well as the impact of cybersecurity expertise at the board level. It consists of research from CISOs at 400+ of the world’s largest companies and direct feedback from Fortune 500 CISOs at organisations like Bank of America, Humana, TD Bank Group, Equifax, Credit Suisse, and BT Security.
“There are so many more industries recognising the importance of technology as a result of the pandemic, and therefore the importance of CISOs, thus creating much more demand,” said Jason Mallinder, Group CISO, Credit Suisse. “As this demand continues to grow, the demands on CISOs continue to evolve, including the talent agenda becoming ever more challenging.”
Overall key findings from the report include:
● 67 per cent of those interviewed were hired by a new company, which translates to a poor job of retaining and promoting within
● 53 per cent of CISOs interviewed assumed a new role during the pandemic, while just over a third took on an expanded role at their current place of employment
● 14 per cent are women while only 21 per cent are non-white, which highlights the industry’s overall inability to address diversity and inclusion (D&I)
● Only 1 per cent of Boards currently include a cybersecurity leader, underscoring a lack of comprehensive cybersecurity expertise and knowledge
Given the various solutions that have been put into place to enable a secure remote workforce, many CISOs see the benefits to sustaining it, such as access to better and more diverse talent. Many organisations find that a location-agnostic approach to hiring increases the candidate pool and raises the bar on the type of talent they can attract.
“The CISO role has become an interesting mix of digital and physical security,” notes Aman Raheja, CISO, Humana. “The combination created new risk for CISOs, who had to architect solutions to ensure access to critical services and ways of working.”
Additionally, as remote work evolves into a more permanent, hybrid model for enterprises, changes in working and purchasing habits have emerged as a key differentiator for the Board. They frequently consult the CISO on a broad range of topics, which now includes things like investment decisions tied to real estate.
COVID-19 obviously introduced a new level of complexity as CISOs were tasked with securing a remote workforce and mitigating risks and threats, which increased as the enterprise network became more porous. The unprecedented pace at which CISOs have had to adapt has fundamentally changed their role to a key driver of business and digital transformation but also addressing all security needs across the enterprise:
“There is a technology strategist role that is continuing to emerge,” says Glenn Foster, CISO, TD Bank Group, “It goes beyond the security stack more broadly into questioning trust in our legacy technologies and where we need to make investments to mitigate against those risks. Where the CIO would traditionally be leading conversations about operational efficiency, you now see the CISO championing them, too.”
“The size of the boardroom table continues to grow, as governing a modern corporation continues to become more complex and less rooted in the purely financial lenses of the past,” says James Larkin, Partner at Marlin Hawk. “If companies aren’t ready to add another seat (for the CISO) to their Board, then councils and committees must bridge this gap until they are – be it internal or advisory adjuncts to the Board. Starting with a cyber security and customer trust committee is a good first step. Technology governance, data privacy, customer trust, and cyber risk are all starting to feel like different flavours of the same governance issue, and the issue is growing, not shrinking.”
The turnover rate for CISOs is incredibly high and, not surprisingly, often tied to compensation, a poor work culture, and a lack of resources. Given the need for vigilance in the CISO role, high turnover rates do not necessarily pose a problem if organisations have a robust pipeline of cyber talent in place to respond in the event of an exit.
To that end, many of the CISOs that Marlin Hawk spoke to reported a discrepancy between a slated successor and the candidate who is named to the role. This breakdown in the succession planning process is likely due, in part, to a lack of exposure by potential successors to the Board. Despite this current failure, several cybersecurity executives interviewed believe that a succession plan is vital.
On top of incredibly high demand, internal tensions exacerbated by the pandemic have created a need for CISOs who have soft skills to communicate across the business and manage distributed teams:
“The CISO’s number one responsibility is providing an independent voice,” notes Craig Froelich, CISO, Bank of America. “The role requires self-awareness and humility; good CISOs are willing to admit to themselves and others when they don’t have the same set of fresh eyes as day one.”