Chief Information Security Officers
Since the United States named its first chief information security officer (CISO) under President Barack Obama in 2016, the field of cybersecurity management has developed into a “hot trend” all by itself; add in high-profile threats to personal information and other attacks and it is easy to see how important CISOs are to individuals, organizations, and nations. The reasons why CISOs are important has to do with the climate of security threats. Things are getting hotter as cybercriminals constantly change their techniques as they become more aware of increased security measures. For instance, the number of cryptojacking attacks (“the illegal use of an organization's or individual's computing power without their knowledge to mine cryptocurrencies”) increased in 2018. Further, nearly 38% of enterprises report to have lost business due to security performance, both real and perceived, within their organizations.
Details about the characteristics of CISOs, how those characteristics have (or need to) change based on current trends, and several examples of high-profile professionals within the field are presented below to build understanding about the role and how it has changed over the last few years.
CHARACTERISTICS OF CHIEF INFORMATION SECURITY OFFICERS
How common is the role?
- 62% of Fortune 500 companies have a CISO; however, only 4% of them list the CISO on their company leadership page.
- In 2017, ISACA surveyed security leaders worldwide and found that 65% of the organizations surveyed had CISOs in place, which marked a 15% increase from the previous year’s survey.
- However, this rise in 2017 was not impressive to the survey stakeholders, one of which noted that “it may be a case of companies doing a little window dressing and taking their security director and now calling them a CISO. It's the same person but a different title.”
What is the number and type of companies that use CISOs?
- The type of Fortune 500 companies most likely to use CISOs include those in the transportation industry. Transportation was listed as “the most security-conscious vertical.” 57% of these companies had an executive position listed as being responsible for cybersecurity. The aerospace industry and the insurance industry are next in line at 33% and 30%, respectively.
- The least secure Fortune 500 organizations include hospitality, manufacturing, and telecommunications.
What are the responsibilities of a CISO?
- While research shows that CISOs have been steadily moving out of the ranks of siloed firewall support, other research has shown a slow investment in the field by organizations needing trained security professionals. In 2019, Gartner predicted that not only will investments in cybersecurity grow by an 8.7% increase, but boards will be relying on CISOs to make the case for the most important areas of investment.
- Due to the growing awareness of the need for CISOs and a likely shortfall in their supply, increased use of independent cybersecurity contractors is projected.
- According to Forbes, these roles are also expected to grow and gain more respect. Forbes also noted that due to heavier regulations, many organizations will begin to look to their CISO as someone who can help them implement further protection of consumer data and the company which, in turn, secures consumer business and keeps the company away from harsh criticisms and legal meltdowns.
- Overall, the responsibilities of a CISO vary by industry and company size. At larger companies, CISOs oversee teams of security professionals, while smaller firms may simply rely on outsourced managed services. Regardless, at large or small companies, CISOs focus on security operations, cyber risk and intelligence, investigations and forensics, data loss and fraud prevention, governance, security architecture, identify and access management, and program management.
What is the basic and preferred experience/education needed?
- Michael Palmer, the previous CISO for the National Football League held a bachelor’s degree in computer information systems from Baruch College. Curtis Simpson, Armis CISO was primarily self-taught and Erinmichelle Perri, CISO for The New York Times, received an MBA from Columbia.
- The ISACA study in 2017 found that most survey respondents valued hands-on experience as most important for cybersecurity roles, with 7/10 requiring security certification.
- Still, some sources focus on a traditional angle to becoming a CISO: 1. Start as a programmer/analyst, 2. Upgrade education to become a security analyst, 3. Get extra certifications/training, 4. Oversee a security team, 5. Get an MBA with an IT security focus, 6. Get promoted into a CISO role.
TRENDS IN THE CHIEF INFORMATION SECURITY OFFICER FIELD
TREND#1: Direct Relationship Between CISO & CEO
- A recent study by Wipro found that more than 20% of CISOs are now reporting directly to CEOs rather than to the Chief Information Officer. Please note, however, that this rate can significantly vary based on industry. For instance, communications-centric organizations report the rate of direct reports to be 47%.
- This change is driven by it becoming increasingly clear that CISOs play a “critical part of an organization’s basic function,” especially as CEOs are under pressure during cyberattacks and other data breaches. Additionally, CIOs may have competing priorities that don’t meld with those of CISOs. For instance, CIOs tend to worry about budgets for application development, infrastructure and networking capabilities while CISOs have a fundamental concern about data security.
- Regarding the upward mobility of the CISO role, the National CIO Review reported that a best practice in security investment is to make sure the CISOs have both the “responsibility and oversight to direct a robust response” to threats from attackers.
- One report noted that while it was predicted a few years ago that 75% of CISOs would report to CEOs, it is only the more tech-centric companies that rely on this model.
- “Retail, transportation and manufacturing companies have lagged other industries, with the CISO typically reporting two layers or more below the CEO. Smaller companies at the high end of the Fortune 1000 may have a director of information security who is very technically focused on the basic blocking and tackling of security. Until lately, companies in these industries did not feel extremely vulnerable to external threats. Security awareness and concerns have recently grown in these industries due to multiple factors: greater connectivity and efforts focused on digital transformation, the addition of new business systems being accessed remotely, increased threats from nation-states and hacktivists, the negative impact on leadership following breaches and the rise and reporting of cyber breaches and incidents.”
TREND#2: Business Leadership Skills Outpace Technical Skills
- According to a study from the Information Systems Security Association, successful CISOs effectively utilize leadership skills. 54% of survey respondents reported that these leadership skills were not only important but far outpaced other aspects of the job including “communication skills (49%), executive relationships (44%), management skills (33%), and technical skills (21%).”
- One expert noted, “In the old days, CISOs tended to work their way up through IT and cybersecurity departments before assuming oversight of antivirus software, firewalls, and meeting regulatory compliance mandates. Now, CISOs lean much more heavily toward the business.”
- “While the role still oversees the hiring of an internal security team, CISOs must now also take responsibility for deploying security hardware, setting, reinforcing and updating a company-wide security strategy and auditing current systems to monitor any potential security flaws and mitigate future risks.”
- Firms all over the globe are in the process of transforming their programs in the CISO space and beginning to require that these high-profile professionals have strong leadership abilities, transversal vision, managerial acumen, and political prowess. Gone are the days when what was considered to be a qualified CISO was a junior technologist, ex-auditor, or life-long consultant.
TREND#3: CISOs are Burning Out
- The average tenure of a CISO is only 18-24 months. 65% of IT and security professionals consider quitting due to burnout. Those that leave the role report that consent stress and ever-present job urgency are leading reasons for exiting. Other C-level staffers stay much longer (CFOs tend to stick around for 6.2 years and CEOs for 8.4 years).
- Part of this burnout has to do with CISOs taking the blame for data beaches and carrying the full weight of blame, which also highlights the importance of hiring managers in making the right decisions early on. For example, during the Capital One data breach crisis, the staff suggested that the CISO and previous clashes with employees were part of the primary issue. However, in 2018, employees raised concerns about a high turnover rate within the cybersecurity team which included about 1/3 of the entire team staff.
TREND#4: CISOs Don’t Get the Details They Need for Reporting
- Some companies are hiring a CSO or CISO for the first time due to a “deeper commitment to information security.” Top CISO concerns in 2019 included strategic alignment, regulations, cloud security, staffing, merging technologies, response and remediation, expanding responsibilities, large attacks, dealing with data, and strengthening the foundation. Cybersecurity threats expected to dominate 2020 include problems in personal phishing, ransomware, IoT, insider threats, and adversarial AI attacks.
- However, only 5% of CISOs are capable of reporting relevant security metrics that are of value to their senior business associates. According to Gartner, this trend will continue through 2022. “Rather than a review of threat detection software updates or systems patched, CISOs must be able to provide an update on the business's security posture in the context of operational and financial risk.”
- Some of the reporting needs might be more related to not being ‘heard’ or having a different set of priorities than those being reported to. For instance, in January 2020, Mick Baccio, CISO for Democratic presidential candidate, Pete Buttigieg, resigned from his position citing that he exited due to no longer agreeing with the way senior leadership envisioned campaign cybersecurity. According to Forbes, "CISOs aren’t always the most popular voices in the room because their concerns can sometimes limit the enterprise’s ability to develop and launch products quickly."
- Along these same lines, some reports note that the CISO field has an image problem as it is still seen as highly specialized, dead-end, overly technical silo, plagued by too little investment and too much managerial lip-service.
TREND#5: The Looming Cybersecurity Management Skills Gap
- One industry analysis forecasted a cybersecurity skills shortage to the tune of 3.5 million cybersecurity jobs by 2021. This shortfall could be due to several factors: 1. The increasing volume of cyber threats, 2. The increase in the number of technologies required to tame those threats, and 3. Broader (and harder to manage) attack surfaces from innovations (e.g., cloud, IoT, and BYOD/bring your own device).
- One prominent solution to the skill shortage problem is “upskilling existing security personnel.” But this solution is fraught with issues like competition for well-trained cybersecurity personnel and expensive training. In fact, the ISACA study found that the average amount companies were willing to pay for cybersecurity training in 2017 was $1,000 per team member.
- However, this skills gap perspective marks a change from 2017, when an Indeed report noted that the CISO field was in oversupply. This was refuted and finessed based on the idea that while many professionals were assisting in the field of cybersecurity, the ultra-competitive CISO job market, as well as its projected leap into C-suite level income arena, would shed light on the higher-level skill set required to be successful in the job.
HIGH-PROFILE CHIEF INFORMATION SECURITY OFFICERS
- The New York Times recently created a role for a CISO, and in 2019 it was filled by Perri, who joined the American mass media company reporting more than $1.74B in revenue, from MultiPlan (a technology-driven health care company).” At MultiPlan she was the company’s first CISO, as well.
- Before The Times and MultiPlan, Perri was at Citigroup “where she served as senior vice president of operations and technology risk and control, focused on the risks associated with the adoption of emerging technologies including cloud computing, blockchain, mobile deployment, and data analytics.” She received a Bachelor of Science in computer engineering and an MBA degree from Columbia.
- Before joining The Times, Perri spoke with an audience at the Ai4 Cybersecurity Conference panel session called “A CISO Perspective on AI.” Perri reported that one of the challenges with using AI at MultiPlan was that “‘a lot of insurers are coming to us and saying’ they don’t want the company using any of their patients’ data, ‘even in its masked form, for any services’ other than what those insurers have asked MultiPlan to do.”
- Maor was added to the IntSights executive team as the CSO charged with leading its security advisory practice and working with the company’s CISOs and other senior cybersecurity executives. Maor previously worked at IBM XForce, where he led the creation and delivery of the product (IBM XForce is an IBM Security threat management and cloud security solution that includes incidence response and intelligence services; XForce was a potential driver of IBM Security’s $1B revenues in Q2 2018). Maor also works with RSA where he implanted an automated and scalable model.
- Noted to be a featured speaker at prominent industry conferences, Maor is also often asked to appear on or interview with major news outlets to discuss cybersecurity and its issues.
- In a recent CNBC interview, Maor stated that he expected to see the “adoption of AI tools for more targeted, automated attacks.”
- Shefter was hired by Landmark Ventures in August 2019 as CISO and partner. This is due to his deep wells of experience in both cybersecurity and business strategy.
- Prior to taking on the role at Landmark, a strategic advisory and global investment bank with ~$10M in estimated revenue, Shefter “held senior roles at Ziften, Citigroup, and IBM while also being a strategic advisor to emerging technology companies and the venture capital industry. ”
- He notes that cybersecurity “demands daily innovation in order to protect consumers and companies from hackers, threat actors, and nation-states.”
- Palmer was the first CISO for the National Football League (NFL). While securing the NFL from threats, he oversaw the company’s operations and information security strategy. “During his time with the league, Palmer led the development of security architecture for the NFL’s television networks and digital channels. He also provided leadership during cornerstone events, such as directing cyber operations during the Super Bowl.”
- In 2019, he was named CISO for Hearst, a global diversified media and information services company containing more than 360 businesses, where he is responsible for building and advancing the company’s cybersecurity solutions.
- During a 2018 interview with Security Current (when he was still with the NFL), Palmer noted that “a CISO needs several skills: be a good storyteller, know how to build relationships, and learn to lead by influence. ‘I need to wield influence in my job to get things done,’ he says. ‘Being a good storyteller is very important. I have to take a situation and change the wording to give it meaning to different audiences. I talk differently to a senior-level executive than I do to a network technician, even though I’m talking about the same risk. For example, if we’re talking about a flaw in wireless technology, I might talk to the technician about encryption protocols and key management techniques I would like him to implement. When I’m talking to senior management, I am discussing technology that has flaws. We need funding to upgrade the technology to avoid a data breach or an integrity issue that may occur over the wireless network. If we don’t correct it, the medical professionals on the field may have challenges accessing player health information to treat injuries. This would impact the league’s business initiative of protecting the health and safety of our players.’”
- Simpson is another high-profile CISO recently appointed in 2019. Simpson works for Armis by making sure that the “enterprise IoT security vendor’s product maintains a high standard and focus on platform and customer security and privacy.”
- Before joining Armis, (which was recently bought out for $1B by Insight Partners in January 2020), Simpson worked with Sysco as VP and global CISO, where he was responsible for building the team, program and capabilities that were needed as a global function to deliver security services all from one central location. An especially interesting part of his role was the need to handle a lot of Sysco’s acquisitions of medium-sized companies which did not invest a lot in IT functions or security but required fast and effective security once acquired.
- In a 2020 interview with Cybercrime Magazine, Simpson admits to having been a self-taught young kid dabbling in the legal and illegal parts of RISA organizations. He also acknowledged that much of his professional career was also self-taught.
- Regarding CISO challenges and cybersecurity, Simpson noted the while social media is often a game-changer, nontraditional competition is one of the biggest game-changers in cybersecurity because “not only does the business have to move at a faster pace to continue to meet up with and compete against that non-traditional competition, we have to continue to manage the risk along with that rapid maturity and change in business models and technology and such; again moving very quickly in IoT is a great example of some of those things that are being introduced into the environment to bring more value to business to make smarter decisions and in shorter periods of time to be more competitive, etc. All of that means great buzz which can mean great business value but it also introduces risk that needs to be managed and relatively nimbly as organizations are moving really quickly.”
EXTRA FACTS & QUOTES
- CISOs are sometimes called a chief security officer, (CSO) as well.
- “The connected enterprise represents an expanding attack surface, with recent reports on ransomware attacks impacting multinational corporations, often through insecure, unmanaged devices. According to Gartner, IoT endpoints will grow to 25 billion units by 2021, with the highest growth in the cross-industry category. These unmanaged and un-agentable devices have no inherent security, and cannot be protected by legacy security solutions. ‘IoT security has come of age, with CIOs and CISOs across industries prioritizing it as they realize the significant risk these connected devices pose,’ said Yevgeny Dibrov, CEO and co-founder of Armis.”
- “A study conducted by the Ponemon Institute found that 60% of organizations globally had suffered two or more business-disrupting cyber events.”
- “The Ponemon Institute’s 2017 Cost of Data Breach Study noted that in 2017 the average cost of a data breach across the ASEAN region was $2.29 million. The report also found that appointing a CISO could reduce the cost of a said breach by about $5 per stolen record.”
- Respondents to the ISACA survey noted that it can take 6+months to fill cybersecurity roles.