How the CISO Role Continues to Gain Importance and Evolve
June 22, 2023 – Even in the context of a cooling hiring market, the role of the chief information security officer is maturing as organizations’ technological needs and risks become greater and multiply, according to the 2023 Global Chief Information Security Officer Survey, just released by Heidrick & Struggles. “To ensure success and continued organizational sustainability, organizations and leaders must recognize the critical role of the CISO and prepare for the future,” the report said. “This includes considering a robust succession plan, investing in cybersecurity expertise and leadership development, and offering competitive compensation packages.”
Additional research from Heidrick & Struggles revealed that 76 percent of CISOs said they were very or entirely open to changing companies in the next three years, underscoring the importance of succession planning and an increased focus on retention strategies.
“The increasing importance of cybersecurity in today’s landscape is creating a significant shift in the role of the CISO as organizations face heightened professional and personal risk,” said Matt Aiello, partner at Heidrick & Struggles. “The most advanced companies are taking measures to eliminate risk within the CISO role, while strengthening their overall cyber program through robust succession planning, severance protections, D&O policies, and including cyber expertise on boards.”
Professional and Personal Risks Greater than Ever
For this report, Heidrick & Struggles compiled organizational and compensation data from a survey fielded in early 2023 of 262 CISOs around the world. Most carried the title of chief information security officer, but respondents also include chief security officers and senior information security executives.
The importance of the CISO role continues to grow as digital technologies, particularly artificial intelligence, become even more prevalent and concerns about cyberattacks, specifically ransomware, rise, the study said. When it comes to organizational risk, 46 percent of CISOs cited artificial intelligence and machine learning as most significant, followed by geopolitical risks (33 percent) and cyberattacks (19 percent), which include ransomware, malware, insider threats, and nation/state attacks. More than half of the respondents said they believe that the most significant cyber risks that pose a threat today will not be the same five years from now.
In addition to technological advances and more sophisticated threats, CISOs also face increasing pressure to stay ahead of the curve, leading to stress and burnout—which remain top personal concerns for CISOs year over year. In fact, 71 percent of respondents identified stress related to their roles as their most significant personal risk, a jump from 59 percent in 2022. Fifty-four percent identified burnout as their most significant personal risk, up from 48 percent in 2022.
To address this, organizations must prioritize succession plans and/or retention strategies to prevent CISOs from exiting unnecessarily, said Heidrick. There is room for hope, however, as 80 percent of respondents agree that, within their roles they are able to invest in leadership and development to build or enhance team capabilities.
More Opportunity for CISOs, But Challenges Remain
The demand for cybersecurity leadership and the specialized skills that come with it, as well as diversity in executive positions, has become increasingly crucial within organizations, executive teams, and at the board level. Companies are now seeking to broaden their horizons, venturing beyond traditional industry-and IT-specific criteria when selecting CISOs, says Heidrick. Businesses are actively searching for the most qualified executives for the role, with a focus on diversity in terms of gender, race or ethnicity, as well as industry and functional expertise.
Despite the critical nature of the CISO role, Heidrick found that many organizations aren’t prepared for the long run. The survey found that almost half (41 percent) of respondents say their company lacks a succession plan for the CISO role, though more than half of those that do not have a plan are developing one. “This underscores the need for organizations to prepare for unforeseen departures of CISOs and ensure they have a solid plan developed to seamlessly transition responsibilities,” Heidrick said.
Related: Cybersecurity is the No. 1 Risk Leaders Can’t Ignore
The survey also revealed that while over half of respondents expressed a belief that their corporate board possesses only partial or no knowledge and expertise required to effectively respond to cybersecurity presentations, only 30 percent of CISOs currently sit on a corporate board. This is a notable increase from the 14 percent who said the same in the prior year, yet still unveils a concerning gap in board expertise.
The Evolving Role of CISOs
Competition for top chief information security officers is growing fierce as companies seek to protect themselves from potentially crippling cyberattacks. Newly released compensation data from IANS Research and Artico Search shows how this role continues to transform and mature. Let’s take a closer look!
“It is encouraging to see a leap in the number of CISOs sitting on corporate boards, but there is still work to be done in terms of board knowledge and expertise in cybersecurity,” said Scott Thompson, partner at Heidrick & Struggles. “And while we applaud the increase in CISOs on boards, other executives can serve as cyber experts on boards including CIOs, CTOs, GCs, chief risk officers, and many others. One size does not fit all – each board can decide what kind of cyber expertise fits its needs. But this is no longer an area boards can’t take seriously”.
As Risk Heightens, so does CISO Compensation
As seen in previous surveys, Heidrick found that CISOs across regions are seeing increased compensation. From an industry perspective, CISOs in the financial services industry reported the highest average total compensation, while those in the technology and services industry received the highest average annual equity/LTI.
Compensation trends by region:
- U.S.: Similar to previous years, U.S. CISOs generally report the highest compensation. For CISOs in the U.S., reported median total cash compensation increased six percent year over year, to $620,000 in 2023. Median total compensation, including any annualized equity grants or long-term incentives, also increased, up to $1,100,000 this year.
- Europe: The average total cash compensation for CISOs in Europe was $457,000. Average total compensation, including any annualized equity grants or long-term incentives, was $552,000. As in the U.S. and Australia, those in the financial services industry reported the highest average total cash compensation, at $623,000. In Europe, those in healthcare and life sciences reported the lowest. Average annual equity/LTI was highest for those in technology and services.
- Australia: The average total cash compensation for CISOs in Australia was $368,000. Average total compensation, including any annualized equity grants or long-term incentives, was $586,000. As in the U.S. and Europe, those in the financial services industry reported the highest average total cash compensation, at $501,000.
The Heidrick report says that the CISO role is continuing to evolve to meet the rapid pace of disruption and new challenges organizations face every day—and with that, leaders must recognize their unique yet important position in organizations.
“The world is currently experiencing a revolution,” the Heidrick report said. “With technology constantly advancing, the contemporary business landscape is now defined by rapid innovation. Advances in cloud computing, artificial intelligence, machine learning, and the internet of things have enabled companies to become lean, agile, and efficient competitors in the global market. Indeed, the promise of a digital future has convinced organizations across all industry segments to adopt more technology-focused business strategies.”
To read the full report click here.
Related: The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media