Checking the Facts: CISO Progress

VIEW FEATS OF STRENGTH MAGAZINE

• Over the past five years since we started this magazine, we not only feature and profile leading CISOs from all over the United States, but we also collect trends. These trends are then correlated to industry stats to help make an impact on the information security community. We want to share with you some of the most important trends we have collected ourselves, along with specific industry trends that stand out.
  
  We focus on changes for CISOs in terms of responsibilities, approach, and acceptance as a leader.
  
  CISO TURNOVER
  Based on our research interviewing over 100 CISOs, one out of every four CISOs change organizations every four years. We have seen the highest amount of CISO turnover in healthcare organizations, with almost 50% moving jobs every four years. Banking and finance CISOs come in second with an average 37% moving jobs every four years.
  
  We wanted to understand why this occurs and discovered key statistics from industry research. In a recent ISSA survey, they concluded:
  - 38% of CISOs change jobs when they are offered higher compensation packages from other organizations.
  - 36% of CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity.
  - 34% of CISOs change jobs when the they are not active participants with executive management and the board of directors.
  - 31% of CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry.
  (Source: The Life and Times of Cybersecurity Professional, ISSA)
  
  While money clearly matters when it comes to CISO career choices, also evident is that they want to work for supportive executives and organizations. Vital to a CISOs’ success is the opportunity to work in an environment that willingly funds a security program as well as one that recognizes the impact security has on an organizations’ ability to function and grow. CISOs want to work at organizations where executives are buying-in and participating in the planning and execution of security priorities.
  
  GROWTH OF CISO ROLES
  It is reported that 65% of enterprise organizations have filled CISO positions, up from 50% in 2016. Whereas, only 22% of SMB organizations have filled CISO positions. We anticipate this number to continue to grow as more organizations recognize the value of a CISO role in their organizations. (Source: 2018 IDG Security Priorities Survey)

We examine why more and more organizations are hiring CISOs. With the striking increase of cyber threats and cyber crime, a new age of professional cyber criminals has escalated the past few years, resulting in a form of organized crime. These sophisticated and proliferating threats target critical data, posing a threat for any organization without a strong security posture in place. Without a CISO leader, organizations are more at-risk to a negative impact by threats, while also hindering innovation or operational growth.

The role of the CISO is impacted by this, as both a challenge and opportunity. CISOs continue to evolve into business enablers and strategists, moving away from the technologist reputation and approach. They must articulate the risk to the business, have two-way, meaningful communication with executives, and demonstrate business metrics.

The importance of this evolution is evidenced by growth in CISO reporting structures and the presence of CISOs in boardroom discussions. Since 2015, the rate at which boards are formally updated on cybersecurity risks are up 20%. Furthermore, 35% of CISOs today report directly into the CEO of an organization. (Source: The Global State of Information Security Survey 2018 PwC)

CYBERSECURITY BUDGET INCREASES
When we first asked CISOs how much their budgets increased each year, we found 85% said their information security budgets increased 10-15% per year.

Nearly 9 in 10 companies plan to increase cybersecurity spending next year, up 10% from the 76% that said the same thing in 2017. Worldwide numbers are slightly smaller, with 78% reporting plans to increase spending on cybersecurity, compared to 73% last year. (Source: 2018 Global Threat Report 451 Group for Thales)

In turn, the total worldwide cybersecurity spend predicted for 2019 is $96.3 billion. According to Gartner, the $96.3 billion that organizations will spend on security products and services next year represents an increase of 8% over 2017 and a more than 17% jump over the $82.2 billion that organizations spent in 2016.

According to research conducted by IBM, the ideal spend on cybersecurity is 9.8 to 13.7% of an IT budget. This percentage per Gartner and other research firms, is estimated to grow along with the increased integration of security into all facets of IT infrastructure.

In fact, cybersecurity spending is expected to grow to $1 trillion between 2017 and 2021. However, there is still a sizable gap between the threat level and reality, with a majority of businesses delaying or downright denying the importance of a cybersecurity budget that exceeds 3% of a company’s capital expenditures.

As noted in the numbers above, organizations are spending more than ever on security. Yet 7 in 10 say they want at least 25% more spending, and 17% want up to a 50% increase. However, only 12% believe they will actually receive a security budget increase of over 25%. The rest clearly will just have to make do with whatever increases they get. (Source: EY Global Information Security Survey 2017-18)

Even with many things in their favor, some CISOs believe they will need additional budget to keep up and ensure their programs remain strategic.

So, what are CISOs spending their budgets on? According to a recent IDG CSO study, 46% of budgets are spent on purchasing new technology, 34% on conducting audits and assessments, and 32% on adding new skills or capabilities.

In the same study, IDG asked leading CISOs what factors help them determine the priority for security spending? In the results, 73% of CISOs said best practices are the number one factor fueling their spending, with compliance mandates coming in second at 69%. Coming in at 36% was responding to an incident that occurred, 33% mandates from the Board of Directors, 29% responding to a security incident that happened at another organization, and 22% partner mandates. (Source: 2018 IDG Security Priorities Survey)

Something that has become more prevalent in the past five years is board engagement when it comes to budget discussions. 45% of CISOs said their corporate board participates actively in setting security budgets. (Source: EY Global Information Security Survey 2017-18)

COMBATING THREATS AND ALIGNING WITH EXECUTIVES
One of the top strategic goals for CISOs is the balance between addressing the ever-evolving threats impacting their organizations along with adjusting to their higher-profile status in the C-suite.

In the past five years, CISOs have become more prevalent in the boardroom and executive meetings. This shift is in part due to CISOs becoming more business-focused paired with the rising publicity received by cybersecurity, making executives more aware of the necessity to have strong cybersecurity programs.
According to data from Deloitte’s CISO Labs, building capabilities to better integrate with the business is a consistent priority among CISOs. Over 90% of CISOs hope to improve the strategic alignment between the security organization and the business, yet nearly half (46%) fear the inability to accomplish that alignment.

Featured in this issue is Sue Schade currently the Principal of an advisory firm (originally interviewed as CIO of University of Michigan Health System). She states, “The demand is greater than ever for cybersecurity professionals. There’s a lot of opportunity out there and I think there’s a noticeable gap versus the jobs and the number of people that are available for those jobs. I think that’s also driven an increased awareness within senior leadership in organizations and a realization that this still needs to remain top of mind. It’s not going away.”

CISOs are ensuring their programs have strong foundations based on key strategic goals such as aligning with the business and making a positive impact on revenue. Based on our research, cybersecurity plans are focused on running strategic, business-minded program. While many security leaders are engaging more frequently with senior executives, according to Deloitte CISO lab research, 79% of CISOs reported they were “spending time with business leaders who think cyber risk is a technical problem or a compliance exercise.” As a result, most CISOs “have to invest a lot of time to get buy-in and support for security initiatives.”

TOP CHALLENGES
IDG asked CISOs - What security-related challenges are most often forcing you to redirect your time and focus away from more strategic tasks?

Based on IDG’s results, compliance and external threats continue to ‘eat away’ at strategic efforts. In many organizations, notably healthcare and finance, regulations and compliance reign over most cybersecurity decisions as roadblocks to focusing on key strategic initiatives.

Lack of talent poses another challenge for CISOs and according to recent estimates, there will be as many as 3.5 million unfilled positions in the industry by 2021. Furthermore, according to The 2017 Global Information Security Workforce (GISW) Study, two-thirds of its nearly 20,000 respondents indicated that their organizations lack the number of cybersecurity professionals needed for today’s threat climate.

Organizations must broaden the pool of candidates and the skills they require. When looking beyond certifications or degrees, hiring managers should focus on core soft skills such as business aptitude and eagerness to learn.

We have produced previous magazine issues on the lack of talent and lack of women in security. The lack of women, veterans, and minorities is a tremendous issue facing the industry, and although we could address this topic with extensive information, we will focus mainly on the stat of women representing only 14% of the cybersecurity workforce. Organizations must empower more women to join their teams, and create work environments conducive to all employees, both men and women.

CONCLUSION
In conclusion, we are at a pivotal time in information security. The past five years have given way to cybersecurity becoming an executive and boardroom focused topic, enabling CISOs to engage more with these leaders. With threats becoming more sophisticated, CISOs will continue to focus on keeping up while at the same time addressing their strategic priorities. Due to increased salary offerings or lack of cultures that do not support cybersecurity, CISOs are starting to move positions more frequently than ever before. The lack of talent in the industry is still prevalent and becoming more impactful on security programs growth.

CISOs are in a unique position – they are respected, yet must possess the skills to properly educate business leaders on how to strategically improve their security programs. They are getting creative to address the lack of talent by searching outside of specific IT security experience and focusing on business acumen skills for candidates they can then train. Their budgets are significantly increasing, allowing them to not only focus on combating threats, but to also engage in security awareness and other strategic priorities within their programs.

Looking forward to the next five years, we believe organizations of all sizes will hire, retain, and support their CISO leaders in a way never done before. Not only because of rising threats, but because they believe in security as a business enabler.