What It Takes to Be a CISO: Success and Leadership in Corporate IT Security
A new study by PAC – a CXP Group company, which was conducted on behalf of Kaspersky Lab, finds that – along with the progression of digital transformation, affecting not only the IT and business side but also cyber security – the role of the Chief Information Security Officer (CISO) is changing as well to become more managerial and collaborative.
Our world is becoming increasingly digitalized, and it is no longer just an option for companies to join in. The ongoing trend of digital transformation has opened up economies, businesses, and information systems, making them more agile and connected, but also more vulnerable and exposed to threats. In the face of these rising risks, cyber security is absolutely essential. It in turn also acts as a key catalyst for digital transformation, to protect the enterprise and its ecosystems but also to enable this transformation. “But to meet those challenges, the role of the Chief Information Security Officer is also transforming”, says Mathieu Poujol, Head of Cybersecurity at PAC.
How CISOs’ performance is measured
The role of the CISOs surveyed within their respective companies can be characterized based on the KPIs they are measured by, the department they are working for, and their most important tasks. Those KPIs reflect the priorities of the CISO: protecting the company from cyber threats and their impact, reducing vulnerabilities, addressing compliance issues, and keeping budgets on track.
Looking at the way CISOs’ performance is measured, significant differences can be seen in the KPIs, depending on the CISO’s length of time in the role. It is interesting to see that shorter-tenured CISOs are rated less across all KPIs. The differences between geographies are significant. For example, the quality and speed of incident response handling is a KPI for 80% of the CISOs surveyed in APAC, while only 68% of the CISOs in Latin America are measured against this KPI.
CISOs who think they are not adequately involved in business decisions are measured 9% less often against the incidence of serious breaches and 10% less against compliance track record. This seems to reflect the lower level of involvement in business decisions granted to them by their enterprise.
CISO involvement within the board
While involvement is one thing, organizational hierarchy is another. “Usually, you would expect a Chief Information Security Officer to be part of the C-suite. However, only 26% of the CISOs surveyed are part of the board and attend all meetings”, states Wolfgang Schwab, Principal Consultant at PAC. Having a CISO at executive level is usually only true for highly digitalized enterprises, highly sensitive ones, as well as very large organizations. This is often synonymous with high cyber security maturity. This discrepancy is reflected by the fact that in our study 58% of the CISOs surveyed think that they are adequately involved in business decision-making.
However, only 25% of CISOs surveyed who are not part of the board think they should be. The others are happy with the position they currently have. In Europe, 41% of the CISOs who are not part of the board think they should be, whereas only 13% of the CISOs surveyed in CIS who are not part of the board think this way.
One finding of the study is that a large majority of the CISOs do not see themselves as business managers, something that is normally a key part of a CxO level role, but rather as domain experts. Cyber security managers are among the most technical roles in the enterprise, and that is how they are evaluated.
CISOs as a source of advice
Specifically, CISOs who want to increase their involvement with the Lines of Business (LoBs) are more often asked for advice by the board than CISOs who do not. CISOs who have a good network in their organization and are willing to work with the different LoBs are perceived as a more valuable source of advice than their peers without that level of engagement. This is a future trend in CISO profiles, as they have to be more business friendly and focus on business risks. Some major companies already have a CISO who is not from the IT department.
About the study The PAC study, “What It Takes to Be a CISO: Success and Leadership in Corporate IT Security”, seeks to answer these questions, and more. Carried out by PAC on behalf of Kaspersky Lab, it analyzes the status quo and future developments worldwide with regard to the CISO’s role and organization. It is based on a CATI survey of 250 companies around the world with CISOs or their equivalents, as well as 11 expert interviews. This study will be an annual study. This is the first one, carried out in summer 2018.