More than half of UK businesses surveyed in new research are planning to appoint their first CISO within the next two years as they prioritise cybersecurity investment. Experts cite cyberthreats, digital transformation, and regulations as key drivers of this trend but warn that ambiguity surrounding CISO responsibilities could negatively impact hiring ambitions. CISO job specifications therefore need to be made clearer to ensure effective hiring and retention of new security leaders.
CISO hiring spree to combat cyberthreats
The findings come from global edge cloud platform provider Fastly, Inc., which surveyed information security and IT professionals from 250 UK companies to ascertain what their most prevalent security threats are and where investments will be made to overcome them. It discovered that malware-based attacks, denial-of-service attacks, and attacks targeting known vulnerabilities are going to be most costly for UK businesses over the next five years, and whilst only a quarter of the businesses polled currently employ a CISO, 56% are planning to hire one within the next six-24 months.
Paul Watts, distinguished analyst at the Information Security Forum and former CISO, tells CSO that this is being propelled by factors such as disruptive cyber incidents, digital transformation, and regulatory burdens. “Disruptive events and e-crime have demonstrated the importance of being able to prepare for, and respond to, technical and non-technical threats to business outcomes,” he says. “Organisations who cannot demonstrate their commitment towards business resiliency post-compromise or following a major disruptive event are seeing their reputations and livelihoods challenged, in some cases to the brink of extinction. This has compelled organisations with no or weak security leadership to act.”
Likewise, digital transformation continues at a blistering pace and society and business has changed permanently as a result, Watt adds. “This churn and change drives risk as well as value, and organisations are recognising that the ability to clearly identify and manage this risk represents a gap. Where traditional IT teams existed in a silo, there now exists a clearer relationship between technology and business, and that requires an arbitrator, a referee, or a trusted advisor to sit in the middle and provide conscientious bipartisan thinking. This is, of course, where the CISO should sit.”
As for the impact of regulatory issues, Watts cites the arrival of regulations such GDPR and NIS. He also predicts more regulation focused on AI, machine learning, the metaverse, and other technologies in the near future. “The face of this regulatory compliance is often perceived to be the CISO, and organisations without one feel increasingly exposed and overwhelmed by the changing landscape.”
Interestingly, Fastly’s research found that certain sectors are ahead of the curve. Seventy-five percent of businesses in the construction/engineering sector already have a CISO in place, closely followed by local/national government (60%) and aerospace (50%).
Ambiguity of CISO role threatens hiring intentions
Although Fastly’s research suggests a period of beneficial security investment both for UK companies and job-seeking CISOs is on the horizon, some of its findings pose cause for concern with regards to understanding of the parameters of the CISO role within businesses. For example, one in four respondents claimed CISOs are too often blamed for things which are not their fault. This was most prevalent in the government, construction/engineering, and aerospace sectors, with over 50% of companies stating that CISOs are regularly scapegoated for issues they are not responsible for.
Furthermore, almost a third of respondents stated that CISOs should have an in-depth understanding of every area of IT, whilst 23% and 22% felt that CISOs are either stretched too thinly or overworked and underpaid, respectively. In contrast, 19% think CISOs are not good enough value for the money. Such ambiguity is negative for both businesses and CISOs when it comes to hiring and retaining new security leaders.
“The reality is that clarity around the accountabilities of a CISO have historically been in flux, largely because there is no succinct and exacting definition of what a CISO is expected to do,” says Watts. “This results in those accountabilities becoming either blurred or inferred.”
Watts says that an all-too-common ‘blame culture’ within businesses that points solely to a CISO in the event of a breach or loss can be significantly detrimental their effectiveness and longevity. This takes on particular significance given recent Forrester research that discovered that large UK organisations churn though CISOs notably more rapidly compared with their US counterparts.
ClubCISO chair Stephen Khan says security generally is becoming more pressurised with the CISO bearing the brunt of that pressure. “They feel personally attached to the security function and making sure that everything is done right. Even though it may not necessarily be their job role, they will always make sure that things are done. So, I think there’s a lot around mental wellbeing that we probably can pull out of here and it’s not necessarily just a blame thing from a company perspective.”
Watts also disputes the notion that modern CISOs require an in-depth understanding of every area of IT to be successful, with technical skill becoming diluted as a core competency. “CISOs are now having to involve themselves less in day-to-day technical operations and are instead spending increasing time collaborating more broadly with the business to ‘shift-left’ their thinking towards security, enabling them to embrace digital transformation and make the most of commercial and disruptive opportunities whilst not straying beyond their risk appetite.”
Demystifying the role of the CISO
In Forrester’s UK CISO Career Paths report, principal analyst Paul McKay stated that businesses must create conditions that help to keep CISOs engaged longer in their current positions so that they can effect positive change. This involves driving clarity into the specification of a CISO, and key to achieving this is the breaking down of stereotypes associated with the role, says Watts.
“The next generation of CISO will require diverse individuals who can see a business problem from both a technical and operational standpoint to identify solutions that balance opportunity with risk, demonstrate strong leadership, and have the confidence to lead and advise their businesses both through crisis and through business-as-usual,” says Watts. “They will also need to interpret regulatory change and the impact on business, and they need to be able to understand how technology innovations can positively and negatively impact business outcomes.”
This requires a blend of skills that can and should be sourced from not just the technical community, Watt says, and this step-change in CISO talent sourcing is long overdue. “Finally, the remit and requirements of a CISO should be described in terms of desired business outcomes, not ‘x-years of this’, ‘y-years of that’ and ‘z different security certifications’ of regimented experience. Only then will we make the role accessible to all and attract the diversity of skills needed to evolve the next-generation CISO into a strong business and technical ambassador.”
