Growing anxiety over new and expanded demands for their jobs has many CISOs mulling over an employment change, according to an annual research study released Wednesday. The State of the CISO 2023-2024 Report, by IANS research and Artico Search, revealed that 75% of CISOs are open to a job change, an eight-point jump from the previous reporting period.
The report, based on a survey of 663 CISOs and unstructured interviews with 100 more in a range of industries and company types across the US and Canada, also found that CISOs who said they were satisfied with their job and company dropped during the period by 10 points, to 64%.
“Satisfaction has been rising consistently for the past few years, but last year, it dipped,” says IANS Research Director Nick Kakolowski. “Last year, the pressure on CISOs ratcheted up big time with the new SEC rules and CISOs being held personally liable for breaches.
In late July, the SEC announced that public companies were required to disclose any material breach within four business days of discovering that the incident has material impact. “The SEC disclosure ruling shook up cybersecurity leadership across multiple industries,” explains Devin Ertel, CISO at Menlo Security, a zero-trust web security company. “Given the relatively vague language of the ruling, CISOs are on edge about how these regulations will impact their work and turn their jobs into potential areas in which they can be prosecuted, since itâs common knowledge that the full impact of a breach can take months, if not years, to become known after rigorous investigation.”
Doom and gloom on CISO forums
Kakolowski explained that while pressure has ramped up for CISOs, the rewards havenât. âBusinesses still haven’t figured out how to elevate the CISO in the business and compensate them accordingly,â he says. âThe job is getting harder and the rewards just aren’t there.”
âThe environment surrounding CISOs is extremely turbulent right now, and their individual exposure to lawsuits is at an all-time high. CISOs face a real danger of being indicted or sued for things outside of their control,â adds Patrick âPatâ Arvidson, chief strategy officer for Interpres, a maker of a threat-informed defense surface management platform.
It is clear from the IANS survey that the dynamics are not favoring the CISO, observes Padraic O’Reilly, founder and chief innovation officer at CyberSain, maker of an automated compliance and risk management platform. âLimited budget and maximum liabilityânot a great formula,â he says. âIncentives among all the players have been and still are misaligned. CISOs have been put into kind of an executive limboâtoo little access to legal or the chief financial officer, exposure to the board intermittently, and not in any established way. When you jump on CISO forums, there is more than a bit of doom and gloom. The report says as much; many have one foot out the door.â
CISOs need to own digital risk
The report also noted that despite having C-level responsibilities, CISOs are having trouble attaining that kind of recognition within their organizations. It found only 20% of all CISOs and 15% of public company CISOs are regarded as C-Level executives, and just 50% engage with the board of directors quarterly. âWhat we’re seeing is an increased need for CISOs to own digital risk,â Kakolowski says. âThe business needs it, and it’s asking CISOs to step into that role. But for CISOs to do it, they need exposure to a wider range of business units and exposure at the board level.â
âCISOs should be able to articulate the role of cyber as a part of a companyâs business strategy. They struggle to do that if they have to report in through another organization and their true message may end up being filtered or watered down,â adds Michael Mestrovich, CISO of Rubrik, a global data security and backup software company.
CISOs and boards: Figure out how to speak each other’s language.
Another finding in the report is that CISOs arenât getting the facetime with boards that they need. Eighty-five percent of CISOs in the survey indicated their board should offer clear guidance on their organization’s risk tolerance for the CISO to act on, but only 36% found that to be the case. “We are seeing some boards figuring this out and being effective there, but across the board, there’s either a lack of visibility at the board levelâCISOs aren’t consistently reporting to the boardâor CISOs and boards haven’t figured out how to speak each other’s language,â Kakolowski says.
Based on his experience as a CISO and now a consultant, Brian Betterton of GuidePoint Security maintains CISOs donât receive enough guidance from boards. âUnless it’s a mature organization which understands and manages risk within a risk governance framework that defines these things, a CISO may need to be very proactive to have these discussions, perhaps even initiating them,â he says.