Q: Over last 5 years, CISOs are asking K logix for trends around how they compare to their peers in terms of reporting structure, why is this important?
A: That’s a great question, because I’ve thought a lot about why we are getting asked that. What we do know is that less CISOs are reporting into CIOs than ever before, more are reporting into CEOs and other areas of business outside of IT. We poll CISOs on a yearly basis, and recently we found that 33% report into CIOs (down from 62% in 2017), 27% report into Chief Risk Officers, 11% into Chief Technology Officers, 11% into CEOs, and the rest a mix of Chief Financial Officers and General Counsels, among other C-level titles.
So, why are CISOs asking us about this? Why do they care about reporting structures? Since the most significant change we’ve seen in recent years is the decrease of CISOs reporting into CIOs, I believe they care about getting out from under IT. That gives them a more direct line into the business, so they are able to communicate on their program’s behalf.
I’m curious if this trend will continue and what the long term benefits will be, and look forward to continuing to watch how it unfolds in the coming years.
Q: What additional responsibilities have CISOs taken on in recent years?
A: My thoughts on this come directly from real world experience with the CISOs I communicate with among our customer base. These CISOs are taking on more risk-related duties, working through areas like GRC, third party, and transformation requirements. I imagine this is similar to CISOs across most industries, as they are persistently working to ensure the security program is keeping pace with the direction the business wants to go. Not only are they working to continually align, but they talk about ensuring strong communication is in place so security is included in projects from the beginning, as many would say the “shift left” mentality that security is baked in from the start and not an afterthought.
When I speak with CISOs, I wonder how they continue to evolve in these circumstances. Being pulled in many directions while still maintaining a low risk profile and high maturity may be challenging.
Q: How are CISOs juggling everything?
A: Many of our customers are dealing with budget restraints, while at the same time having more responsibilities added to their plates. Often times, they might not have budget to add headcount, so they have to think strategically about investing in either tools that have potential to help them streamline across responsibilities, or platforms to consolidate individual investments, alleviating pressure on headcount. Alternatively, they are using outside help, like a third party to come in and partner with them to ease the burden on their teams’ time.
I am curious about the long-term impact of this rinse and repeat cycle, and will continue to speak with our CISO community about this topic.
Q: How have CISOs relationships with their boards and executives changed?
A: In my experience over the last 20 plus years working with security teams, I’ve seen a lot of growth between CISOs and boards. Today, many CISOs have seats at the table and are actively presenting to board, in contrast to 5-10 years ago when they might not have had an opportunity to speak in front of them. I’m not saying it is a perfect relationship, some CISOs get 10-15 minutes twice a year to present, while others get significantly more time. It really varies, and in many of the CISO interviews we conduct for this magazine, we hear the same thing – there is no standard, and still a wide variety of board interactions.
The people sitting on boards seem to be more knowledgeable about cybersecurity. I’ve heard from CISOs that their board members might sit on multiple boards and can come into meetings with context of how other companies are running cyber strategies. Many CISOs talk about there being a greater awareness around cyber, something they find to be a big benefit, because they are doing less educating and able to engage in more thoughtful conversations.
Many of the CISOs we’ve interviewed say that no matter what, the most important thing to do in boardroom presentations is to simplify and cut down what they plan to present and make sure it hits home with a business person. Then go back and simplify again! CISOs make a more meaningful impact during meetings and might be better positioned to gain more budget or resources. At the very least, gain more mindshare and get their priorities across in a more streamlined way.
Q: What types of questions are board members asking CISOs?
A: I’m not an expert on boardroom discussions, but I do learn from our customers and those we interview for this magazine about their interactions. In these conversations, I’ve learned that boards have elevated their level of questioning. While CISOs still receive questions like “will the cyber incident I saw on the news happen to us”, they are also being asked more poignant questions specific to their organization and its goals. They are hearing things similar to - “what is the business impact of your current priorities”, they are curious about things like revenue impact, privacy regulations, risk tolerance, and long-term goals for maturity.
Subscribe
Stay up to date with cyber security trends and more