The CISO's Job Is Getting More Complex

Uploaded on 2021-09-22 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organisations experienced cyber security problems as they began working with a remote and home working workforce as a consequence of the Coronavirus and the importance of a robust cyber security capability has never been more apparent. 

Now, research from executive search and consulting firm Marlin Hawk highlights the job of the Chief Information Security Officer (CISO) and the issues arising for  succession planning failures and a lack of diversity.  The Report analyses the role of the CISO regarding the short- and long-term impacts of the pandemic, perspectives on diversity, tenure, and succession, as well as the impact of cyber security expertise at the board level. 

It consists of research from CISOs at 400+ of the world’s largest companies and direct feedback from Fortune 500 CISOs at organisations like Bank of America, Humana, TD Bank Group, Equifax, Credit Suisse and BT Security. “There are so many more industries recognising the importance of technology as a result of the pandemic, and therefore the importance of CISOs, thus creating much more demand...  As this demand continues to grow, the demands on CISOs continue to evolve, including the talent agenda becoming ever more challenging.”said Jason Mallinder, Group CISO at Credit Suisse. 

Overall Key Findings Include:

  • 67% of those interviewed were hired by a new company, which translates to a poor job of retaining and promoting within.
  • 53% of CISOs interviewed assumed a new role during the pandemic, while just over a third took on an expanded role at their current place of employment.
  • 14% are women while only 21% are non-white, which highlights the industry’s overall inability to address diversity and inclusion (D&I).
  • Only 1% of Boards currently include a cybersecurity leader, underscoring a lack of comprehensive cybersecurity expertise and knowledge.

CISOs are supporting the shift to location-agnostic working practices and with the various solutions that have been put into place to enable a secure remote workforce. Many CISOs see the benefits to sustaining it, such as access to better and more diverse talent.

Indeed, many organisations find that a location-agnostic approach to hiring increases the candidate pool and raises the bar on the type of talent they can attract.

“The CISO role has become an interesting mix of digital and physical security...  The combination created new risk for CISOs, who had to architect solutions to ensure access to critical services and ways of working.”says Aman Raheja, CISO at Humana. Additionally, as remote work evolves into a more permanent, hybrid model for enterprises, changes in working and purchasing habits have emerged as a key differentiator for the Board. They frequently consult the CISO on a broader range of topics, which now include investment decisions.

CISOs Deserve More influence In The Boardroom

The Coronavirus pandemic introduced a new level of complexity as CISOs were given the task of securing a remote workforce and mitigating risks and threats, which increased as the enterprise network became more porous. The unprecedented pace at which CISOs have had to adapt has fundamentally changed their role to a key driver of business and digital transformation but also addressing all security needs across the enterprise: "There is a technology strategist role that is continuing to emerge... It goes beyond the security stack more broadly into questioning trust in our legacy technologies and where we need to make investments to mitigate against those risks. Where the CIO would traditionally be leading conversations about operational efficiency, you now see the CISO championing them, too." says Glenn Foster, CISO, TD Bank Group,

“The size of the boardroom table continues to grow, as governing a modern corporation continues to become more complex and less rooted in the purely financial lenses of the past...  If companies aren’t ready to add another seat for the CISO to their Board, then councils and committees must bridge this gap until they are, be it internal or advisory adjuncts to the Board. Starting with a cyber security and customer trust committee is a good first step." says James Larkin of Marlin Hawk.

CISOs Are In High Demand But Succesion Planning Is Rare

The turnover rate for CISOs is incredibly high and often closely related to pay and working conditions.Given the need for vigilance in the CISO role, high turnover rates do not necessarily pose a problem if organisations have a robust pipeline of cyber talent in place to respond in the event of an exit. To that end, many of the CISOs that Marlin Hawk spoke to reported a discrepancy between a slated successor and the candidate who is named to the role. 

  • This breakdown in the succession planning process is likely due, in part, to a lack of exposure by potential successors to the Board. And despite this current failure, several cyber security executives interviewed believe that a succession plan is vital. 
  • Soft skills have become crucial, but overall diversity and inclusion (D&I) is lacking. On top of incredibly high demand, internal tensions exacerbated by the pandemic have created a need for CISOs who have soft skills to communicate across the business and manage distributed teams: 
  • When it comes to diversity, a number of organisations have made significant improvements. Still, several have yet to tackle the issue of how to integrate diverse talent into their structure. For instance, women account for 14% of information security leaders, and non-white candidates account for just 21% of CISOs at large global enterprises. 

Overall, the evidence suggest that the the role of CISO has never been more complex, challenging and critical to the resilience of the organisations they work for.

Marlin Hawk:        Image: Unpslash

You Might Also Read: 

CISO's Cant Find The Right People:

 

« EU Proposes Legislation To Secure Connected Devices
North America VPN Market Will Soon Be Worth $70 Bn »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

Hypersecu Information Systems

Hypersecu Information Systems

Hypersecu Information Systems, Inc. is a solution provider dedicated to multi-factor authentication, public key infrastructure and software copyright protection.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

ATIA

ATIA

ATIA provides consulting services in the design and implementation of IT system, Information Security, ISO certification, and professional IT training and education.

DAkkS

DAkkS

DAkkS is the national accreditation body for Germany. The directory of members provides details of organisations offering certification services for ISO 27001.

DestructData

DestructData

DestructData is a leading independent provider of End of Life data destruction/security solutions.

Netlawgic Legal Services

Netlawgic Legal Services

Netlawgic is exclusively focused on delivering cyber law solutions to the industry. We provide our clients with specialized attention and problem solving in all aspects of cyber law.

X-Ways Software Technology

X-Ways Software Technology

X-Ways provide software for computer forensics, electronic discovery, data recovery, low-level data processing, and IT security.

FraudWatch International

FraudWatch International

FraudWatch has been protecting client brands around the world since 2003, and are the leaders in online brand protection from phishing, malware, social media and mobile apps impersonation.

Parameter Security

Parameter Security

Parameter Security is a provider of ethical hacking and information security services.

SharkStriker

SharkStriker

SharkStriker is a US based managed security services provider with SOCs and offices across the globe.

Trenton Systems

Trenton Systems

Trenton Systems are committed to providing high-performance computing solutions to customers running mission-critical applications in harsh settings worldwide and across various industries.

Radiance Technologies

Radiance Technologies

Radiance solutions provide technological advantage and operational superiority for our nation in the areas of intelligence, cyber and advanced weapon systems.

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions is an Enterprise Cyber Security Platforms company offering Cyber Security & Technical Education and Compliance & Penetration Testing Services.

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.