In 1990, 3 million people globally had Internet access — accessing the web at an average of 14K per second. A Windows update took several days to download. The first ransomware attack had just occurred. It would be four years before Citigroup created the first CISO position.

By the early 2000s, the CISO was a relatively minor position at most organizations, usually reporting to the CIO. In a few companies, the org chart had the CISO reporting to the CFO — or even HR. Well into the 2010s, most didn’t have a seat at the senior executive table, and most had to fight for a meaningful budget. 

The CISO was among the first to ship out if the organization suffered a breach. 

An Ever-Expanding Scope of Responsibilities

Today's CISOs are expected to understand the intricacies of digital threats, the broader business landscape in which those threats exist, and how they impact the company. In many organizations, the CIO now reports to the CISO. 

If a CISO hasn’t been on the wrong end of a breach, potential employers wonder why not. One organization we follow assigns the CISO to work with major clients to help ensure the safety of the client’s organization.

CISOs require a balance of technical and soft skills to ensure the success of a company’s security strategies and their alignment with long-term goals. Moreover, CISOs are tasked with fostering a culture of shared ownership and cyber risk awareness within their organization. 

Their responsibilities encompass everything from managing security technologies to overseeing compliance with regulations, coordinating incident response efforts, and cultivating a security-focused culture within the organization. According to a ThreatTrack survey, 47% of CISOs now report to a CEO or board of directors [1].

Now, many CISOs have direct access to the board, sometimes without other executives present. 

Positioning the CISO closer to the CEO and board of directors ensures that data security remains a top priority for the organization. At Aware Force, we have provided some of the CISOs we work with access to customized presentation materials designed to resonate with board members. 

According to the U.S. Bureau of Labor Statistics, the employment of information security analysts (a category that includes CISOs) is projected to grow 31% from 2021 to 2031 [3], faster than the average for all occupations. According to a report by Cybersecurity Ventures, there were 3.5 million unfilled cybersecurity jobs globally in 2021, a void that will likely remain until 2025. 

What makes a great CISO?

Back in September 2020, a Gartner survey revealed that only 12% of CISOs are considered “Highly Effective”[4], indicating a lot of room to improve.

Gartner’s survey measured CISO’s effectiveness index, which is determined by its ability to execute against a set of outcomes in four categories: functional leadership, information security service delivery, scaled governance, and enterprise responsiveness.

Five behaviors of the top performing CISOs

Executive search and leadership advisory firm Marlin Hawk says today’s CISOs are taking responsibilities that have traditionally fallen solely to the CIO. The biggest which is serving as the primary intermediary between the tech units and the wider business, including the board, stakeholders, and customers. As a result, CISOs must be able to communicate with individuals at every level of the company adeptly. 

Five behaviors demonstrated by the top-performing CISOs, according to Gartner:

1. Initiate discussions on evolving norms to stay ahead of threats.
2. Prioritize keeping decision-makers aware of current and potential future risks.
3. Proactively engaging in securing emerging technologies.
4. Have a formal and actionable succession plan.
5. Define risk appetite through collaboration with senior business decision-makers.

The CISO of the Future and Key Takeaways

The profession's future involves being business savvy and having strong leadership skills. They must be comfortable engaging with boards and other C-suite executives and communicating complex security concepts in accessible language.

CISOs are responsible for being a beacon of knowledge and leadership, analog to a seasoned commander leading an army of vigilant and proactive employees - the first line of defense against cyber threats. 

Like a strategist, the CISO mobilizes the troops and empowers them with the necessary tools.

Finally, the key to engaging the organization’s employees providing relevant, actionable content year-round. 

If you’d like to know more about how Aware Force clients are doing that, check our Cybersecurity Newsletter page or connect with us, and in 15 minutes, you'll see why Aware Force has raving fans across North America.

Read More

[1] No Respect. Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers, Threat Track Security, www.ten-inc.com/presentations/ThreatTrack-The-Role-of-the-CISO.PDF

[2] The new CISO: Leading the strategic security organization | Deloitte Insights

[3] www.bls.gov

[4] Gartner, https://www.gartner.com/en/newsroom/press-releases/2020-09-17-gartner-survey-reveals-only-12-percent-of-cisos-are-considered-highly-effective