The evolving role of the CISO - what do future cyber executives need to know?

Published on: 6 Jun 2022

Cyber security is now a priority for almost every business. As a consequence of that, this means there are more opportunities than ever for professionals in this field to advance their career.

At the top of most organisations' security teams will be the chief information security officer, or CISO. In the past, this has been a highly tech-focused role, with only larger firms having such a position. But in the last few years, as the threat from cyber attacks has risen, there's been a growing recognition of the importance of cyber security as a business risk, which means these professionals are having more influence than ever, and even finding a place in medium and even small-sized firms.

So what changes can CISOs expect to see as their role continues to evolve, and what skills will cyber security pros need to have if they're looking to step up to these positions?

The growing influence of the CISO at board level

Whereas in previous years the CISO was seen purely as a tech role, it is now more integrated with business units than ever. According to research firm Gartner, 88 per cent of boards now view cybersecurity as a business risk, which means they will be more closely involved with these efforts than ever before. 

A consequence of this is that security is increasingly seen as its own distinct role from general IT teams. While the majority of firms still have the chief information officer as the highest-level person in an organisation with oversight for cyber security, almost a third of firms (29 per cent) now place this responsibility directly on the CISO.

This influence is also being recognised in the compensation packages being offered to these professionals. Recent research from Via Resource, for example, has found that starting salaries for new CISOs have increased by 22 per cent over the last year, reaching £110,000. Meanwhile, the most experienced senior professionals can now expect to earn a median salary of £200,000. 

What's more, CISO positions, like many cyber security roles, continue to suffer from skills shortages, which means those who do possess the right experience and qualifications may be in a very strong position when looking for a role to suit them.

The challenges facing these professionals

However, with this growing influence comes greater pressure. Gartner stated, for instance, that boards are increasingly demanding to see results when it comes to cyber security performance. Paul Proctor, distinguished research vice-president at the firm, said: "After years of such heavy investment in security, boards are now pushing back and asking what their dollars have achieved."

Therefore, it's hardly surprising that levels of stress among CISOs are high, with one report from Nominet suggesting 88 per cent are under moderate to high stress. Efforts to improve work-life balance may go a long way to solving this issue, as currently, the average CISO works ten hours a week more than they're contracted for.

This may also be a key reason why turnover among these professionals remains high. According to Nominet's research, the average tenure of the CISO is only 26 months, which can make it challenging to implement major changes to firms' security strategies, as these can often take three to five years to fully come to fruition.

Greater integration with the board is likely to be critical in addressing this issue, especially if CISOs can secure their own seat at the top table. While only a small minority of firms actually have their CISO recognised as a full board member - just four per cent according to Heidrick and Struggles' 2021 Global Chief Information Security Officer Survey - 90 per cent now present directly to their board or audit committee on a regular basis. 

Meanwhile, Gartner forecasts that 40 per cent of boards will have a dedicated cybersecurity committee by 2025. This is likely to ensure CISO professionals feel more closely connected to the running of the business and involved with high-level decision-making.

Expanding the CISO skillset

Being able to manage both business and technology demands will clearly be an important skill for CISOs in the coming years. The ability to communicate effectively with non-tech executives, draft and present clear reports will be vital, as will management and delegation skills, as it's increasingly clear that CISOs need the support of more junior staff in order to handle such a diverse and demanding environment.

When it comes to technical skills, it was noted by Jamal Elmellas, chief operating officer at Focus-on-Security, that a degree in an IT-related subject - ideally at Master's level - is considered a must for prospective CISOs, while industry certifications such as CISSP are also essential. 

In general, these personnel are also expected to have around a decade of experience in the sector and in-depth knowledge of security technologies and compliance regulations.