The CISO's Job Is Getting More Complex

Uploaded on 2021-09-22 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organisations experienced cyber security problems as they began working with a remote and home working workforce as a consequence of the Coronavirus and the importance of a robust cyber security capability has never been more apparent. 

Now, research from executive search and consulting firm Marlin Hawk highlights the job of the Chief Information Security Officer (CISO) and the issues arising for  succession planning failures and a lack of diversity.  The Report analyses the role of the CISO regarding the short- and long-term impacts of the pandemic, perspectives on diversity, tenure, and succession, as well as the impact of cyber security expertise at the board level. 

It consists of research from CISOs at 400+ of the world’s largest companies and direct feedback from Fortune 500 CISOs at organisations like Bank of America, Humana, TD Bank Group, Equifax, Credit Suisse and BT Security. “There are so many more industries recognising the importance of technology as a result of the pandemic, and therefore the importance of CISOs, thus creating much more demand...  As this demand continues to grow, the demands on CISOs continue to evolve, including the talent agenda becoming ever more challenging.”said Jason Mallinder, Group CISO at Credit Suisse. 

Overall Key Findings Include:

  • 67% of those interviewed were hired by a new company, which translates to a poor job of retaining and promoting within.
  • 53% of CISOs interviewed assumed a new role during the pandemic, while just over a third took on an expanded role at their current place of employment.
  • 14% are women while only 21% are non-white, which highlights the industry’s overall inability to address diversity and inclusion (D&I).
  • Only 1% of Boards currently include a cybersecurity leader, underscoring a lack of comprehensive cybersecurity expertise and knowledge.

CISOs are supporting the shift to location-agnostic working practices and with the various solutions that have been put into place to enable a secure remote workforce. Many CISOs see the benefits to sustaining it, such as access to better and more diverse talent.

Indeed, many organisations find that a location-agnostic approach to hiring increases the candidate pool and raises the bar on the type of talent they can attract.

“The CISO role has become an interesting mix of digital and physical security...  The combination created new risk for CISOs, who had to architect solutions to ensure access to critical services and ways of working.”says Aman Raheja, CISO at Humana. Additionally, as remote work evolves into a more permanent, hybrid model for enterprises, changes in working and purchasing habits have emerged as a key differentiator for the Board. They frequently consult the CISO on a broader range of topics, which now include investment decisions.

CISOs Deserve More influence In The Boardroom

The Coronavirus pandemic introduced a new level of complexity as CISOs were given the task of securing a remote workforce and mitigating risks and threats, which increased as the enterprise network became more porous. The unprecedented pace at which CISOs have had to adapt has fundamentally changed their role to a key driver of business and digital transformation but also addressing all security needs across the enterprise: "There is a technology strategist role that is continuing to emerge... It goes beyond the security stack more broadly into questioning trust in our legacy technologies and where we need to make investments to mitigate against those risks. Where the CIO would traditionally be leading conversations about operational efficiency, you now see the CISO championing them, too." says Glenn Foster, CISO, TD Bank Group,

“The size of the boardroom table continues to grow, as governing a modern corporation continues to become more complex and less rooted in the purely financial lenses of the past...  If companies aren’t ready to add another seat for the CISO to their Board, then councils and committees must bridge this gap until they are, be it internal or advisory adjuncts to the Board. Starting with a cyber security and customer trust committee is a good first step." says James Larkin of Marlin Hawk.

CISOs Are In High Demand But Succesion Planning Is Rare

The turnover rate for CISOs is incredibly high and often closely related to pay and working conditions.Given the need for vigilance in the CISO role, high turnover rates do not necessarily pose a problem if organisations have a robust pipeline of cyber talent in place to respond in the event of an exit. To that end, many of the CISOs that Marlin Hawk spoke to reported a discrepancy between a slated successor and the candidate who is named to the role. 

  • This breakdown in the succession planning process is likely due, in part, to a lack of exposure by potential successors to the Board. And despite this current failure, several cyber security executives interviewed believe that a succession plan is vital. 
  • Soft skills have become crucial, but overall diversity and inclusion (D&I) is lacking. On top of incredibly high demand, internal tensions exacerbated by the pandemic have created a need for CISOs who have soft skills to communicate across the business and manage distributed teams: 
  • When it comes to diversity, a number of organisations have made significant improvements. Still, several have yet to tackle the issue of how to integrate diverse talent into their structure. For instance, women account for 14% of information security leaders, and non-white candidates account for just 21% of CISOs at large global enterprises. 

Overall, the evidence suggest that the the role of CISO has never been more complex, challenging and critical to the resilience of the organisations they work for.

Marlin Hawk:        Image: Unpslash

You Might Also Read: 

CISO's Cant Find The Right People:

 

« EU Proposes Legislation To Secure Connected Devices
North America VPN Market Will Soon Be Worth $70 Bn »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cobalt Strike

Cobalt Strike

Cobalt Strike is penetration testing software designed to execute targeted attacks.

Bluink

Bluink

Bluink specializes in identity and access management and customer identity verification, using your smartphone as a strong authenticator and secure identity store.

Loki Labs

Loki Labs

Loki Labs provides expert cyber security solutions and services, including vulnerability assessments & penetration testing, emergency incident response, and managed security.

SEMNet

SEMNet

SEMNet is an IT solutions provider and an infrastructure and security consulting firm.

Redhorse

Redhorse

Redhorse provides top-tier consulting to help clients address mission-critical government problems in National Security, Networking Technology, Energy and the Environment.

Digital Pathways

Digital Pathways

Digital Pathways is an award-winning data security provider that helps businesses protect their digital assets.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

Purple Knight

Purple Knight

Purple Knight is a free Active Directory security assessment tool built and managed by an elite group of Microsoft identity experts.

Bitdefender

Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.

Nihka Technology Group

Nihka Technology Group

Nihka offers full end-to-end ICT solutions from business optimisation, data centre modernisation, cloud connection and management, and ICT security.

Velotix

Velotix

Velotix empowers organizations to maximize the value of their data while ensuring security and compliance in a rapidly evolving regulatory landscape.

Grey Market Labs

Grey Market Labs

Grey Market Labs is a special place. It is a data privacy and security skunkworks.

Stack Overflow

Stack Overflow

Founded in 2008, Stack Overflow’s public platform is used by nearly everyone who codes to learn, share their knowledge, collaborate, and build their careers.