Marlin Hawk released a research report which explores industry trends and insights of CISOs around the world, the challenges they face in a rapidly evolving cybersecurity landscape, as well as their role and place within organizations.
The report also analyzes the role of the CISO regarding the short- and long-term impacts of the pandemic, perspectives on diversity, tenure, and succession, as well as the impact of cybersecurity expertise at the board level. It consists of research from CISOs at 400+ of the world’s largest companies and direct feedback from Fortune 500 CISOs at organizations like Bank of America, Humana, TD Bank Group, Equifax, Credit Suisse, and BT Security.
“There are so many more industries recognizing the importance of technology as a result of the pandemic, and therefore the importance of CISOs, thus creating much more demand,” said Jason Mallinder, Group CISO, Credit Suisse. “As this demand continues to grow, the demands on CISOs continue to evolve, including the talent agenda becoming ever more challenging.”
Overall key findings from the report include:
- 67% of those interviewed were hired by a new company, which translates to a poor job of retaining and promoting within
- 53% of CISOs interviewed assumed a new role during the pandemic, while just over a third took on an expanded role at their current place of employment
- 14% are women while only 21% are non-white, which highlights the industry’s overall inability to address diversity and inclusion (D&I)
- Only 1% of boards currently include a cybersecurity leader, underscoring a lack of comprehensive cybersecurity expertise and knowledge
CISOs are supporting the shift to location-agnostic working practices
Given the various solutions that have been put into place to enable a secure remote workforce, many CISOs see the benefits to sustaining it, such as access to better and more diverse talent. Many organizations find that a location-agnostic approach to hiring increases the candidate pool and raises the bar on the type of talent they can attract.
“The CISO role has become an interesting mix of digital and physical security,” notes Aman Raheja, CISO, Humana. “The combination created new risk for CISOs, who had to architect solutions to ensure access to critical services and ways of working.”
Additionally, as remote work evolves into a more permanent hybrid model for enterprises, changes in working and purchasing habits have emerged as a key differentiator for the board. They frequently consult the CISO on a broad range of topics, which now includes things like investment decisions tied to real estate.
CISOs deserve more influence and representation in the boardroom
COVID-19 obviously introduced a new level of complexity as CISOs were tasked with securing a remote workforce and mitigating risks and threats, which increased as the enterprise network became more porous. The unprecedented pace at which CISOs have had to adapt has fundamentally changed their role to a key driver of business and digital transformation but also addressing all security needs across the enterprise:
“There is a technology strategist role that is continuing to emerge,” says Glenn Foster, CISO, TD Bank Group, “It goes beyond the security stack more broadly into questioning trust in our legacy technologies and where we need to make investments to mitigate against those risks. Where the CIO would traditionally be leading conversations about operational efficiency, you now see the CISO championing them, too.”
“The size of the boardroom table continues to grow, as governing a modern corporation continues to become more complex and less rooted in the purely financial lenses of the past,” says James Larkin, Partner at Marlin Hawk.
“If companies aren’t ready to add another seat (for the CISO) to their board, then councils and committees must bridge this gap until they are – be it internal or advisory adjuncts to the board. Starting with a cyber security and customer trust committee is a good first step. Technology governance, data privacy, customer trust, and cyber risk are all starting to feel like different flavors of the same governance issue, and the issue is growing, not shrinking.”
CISOs in high demand and tough to retain but planning for their successor is rare
The turnover rate for CISOs is incredibly high and, not surprisingly, often tied to compensation, a poor work culture, and a lack of resources. Given the need for vigilance in the CISO role, high turnover rates do not necessarily pose a problem if organizations have a robust pipeline of cyber talent in place to respond in the event of an exit.
To that end, many of the CISOs reported a discrepancy between a slated successor and the candidate who is named to the role. This breakdown in the succession planning process is likely due, in part, to a lack of exposure by potential successors to the board. And despite this current failure, several cybersecurity executives interviewed believe that a succession plan is vital.
Soft skills becoming crucial, but overall diversity and inclusion is lacking
On top of incredibly high demand, internal tensions exacerbated by the pandemic have created a need for CISOs who have soft skills to communicate across the business and manage distributed teams:
“The CISO’s number one responsibility is providing an independent voice,” notes Craig Froelich, CISO, Bank of America. “The role requires self-awareness and humility; good CISOs are willing to admit to themselves and others when they don’t have the same set of fresh eyes as day one.”
When it comes to diversity, a number of organizations have made significant improvements. Still, several have yet to tackle the issue of how to integrate diverse talent into their structure. For instance, women account for 14% of information security leaders, and non-white candidates account for just 21% of CISOs at large global enterprises. This disparity needs to be addressed, but the issue is often compounded beyond equivalent roles across other functions in an organization.