IANS Research and Artico Search released its State of the CISO 2023-2024 Report, an annual research study that provides deep insights into
critical aspects of the CISO role based on background, job level, compensation,
budget dynamics, board engagement, and job satisfaction data. This year, more
than 660 Chief Information Security Officers (CISOs) provided data.
Additionally, research team members held conversations with over 100 CISOs to
better understand the challenges CISOs face today and future opportunities.
At the outset of 2024, CISOs are
experiencing a duality of anxiety and opportunity, which is attributed to
reduced cybersecurity spending, increasing cyber breaches, the rise of
generative AI tools, and stricter cybersecurity rules emphasizing disclosure
requirements. In this context, key report findings include:
- Traditional
CISO role characteristics may no longer meet the needs in this rapidly
evolving landscape. This situation
gives CISOs an unprecedented opportunity to argue for a place in the
executive ranks. Furthermore, the increased threat environment
organizations face gives CISOs more ammunition to influence leaders
outside their direct sphere of control.
- Regulators now hold
CISOs accountable for transparency and even fraud on behalf of their
organizations. Despite the role
expectations being elevated to C-Level, CISOs struggle to be viewed as
such, and the CISO role is frequently not part of the senior leadership
team. Only 20% of all CISOs and 15% of public company CISOs are regarded
as C-Level executives, and just 50% engage with the Board quarterly. CISOs
with Board access are more optimistic about budget and risk alignment.
Only 28% without Board engagement are satisfied versus 57% with at least
infrequent or ad hoc Board contact.
- CISOs seek clear risk
guidance from boards but often don't find it. 85% of CISOs in the survey indicated their board
should offer clear guidance on their organization's risk tolerance for the
CISO to act on. However, just 36% find that this is the case.
- A seat at the table
calls for increased business skills. Most
CISOs build their leadership skills through executive coaching and formal
leadership training; the total compensation of CISOs currently
in/completed an executive coaching program exceeds those who haven't done
a leadership skill development program by more than $200,000. Only 20% of
CISOs receive internal mentoring from non-tech colleagues.
- Technology skills
dominate CISOs' formative years. In
the years leading up to the top job, the two dominant career paths are a
technical path and a risk and compliance path, although some CISOs have
crossed over during their formative years. CISOs with a tech background
earn more than risk/compliance CISOs.
- Most
CISOs are considering a job change. This
year's satisfaction ratings suggested heightened anxiety among CISOs.
Between 2022 and 2023, the share of CISOs who are satisfied in their job
and company fell by 10 points to 64%. Meanwhile, the share open to a job
change increased by 8 points to 75%.
"We see CISO satisfaction
positively correlated with access and influence at the board level," stated
Steve Martano, a partner in Artico Search's cybersecurity practice and IANS
Faculty member, "CISOs with a strong rapport with their boards feel more valued
and generally report they are ‘heard', even when there are disagreements on
budgeting."
For more insights, please download the full summary report.