Has the CISO’s standing within the organisation hit a ceiling?

Despite the continuing increase in intrusions and security budgets, the CISO role has seemingly stalled after growing in importance within the organisation in recent years.

Conceptual image of executives; silhouettes in motion with a virtual global network overlay.
Metamorworks / Getty Images

A growth in the number of security incident and budgets has failed to see the CISO’s standing increase within the organisation, according to the 2019 CIO 100 survey.

Continuing the trend of recent years, the majority of the 2019 cohort expects to receive bigger budgets specific to security to tackle the growing cyber threat, after seeing an increase in the number of security incidents.

Yet in contrast to the 2018 CIO 100, the number of CISOs reported as being “peers of the CIO” hasn’t increased despite the growth in budget and attacks.

Security spending continues to grow

The spectre of GDPR combined with more successful attacks has been a driving factor for increasing security budgets in recent years.

Some 59 percent of companies said that they had detected a cyber intrusion in the last 12 months, up from 56 percent in 2018. Consequently, 83 percent of organisations expect an increase in security budgets in 2019, just above the 81 and 82 percent of respondents in 2018 and 2017 respectively.

According to Hiscox’s 2019 Cyber Readiness Report, organisations in the UK spend less on security than those in Europe or the US. UK companies spend an average of $900,000 on security, nearly $500,000 less than the global average in the study. However, the average cost of an incident was also lower - $243,000 compared to $369,000.

Where do UK CISOs sit in the business?

Despite this increase in budgets and number of successful attacks, our survey suggests that CISO’s standing within their companies has failed to change in the last 12 months.

Some 12 percent of organisations say the CISO is a peer to the CIO, which, after a three-fold increase in recent years, has decreased slightly on last year’s figure. Some 65 percent of companies have a CISO or equivalent who reports to the CIO function, or have the role covered by a member of CIO's department, roughly in line with last year’s figures.

Two percent of companies are currently recruiting a CISO, while eight percent of CIOs responded explicitly that they were the CISO. This is a slight increase on 2018’s results, which may signal a constraint on resources, difficulty finding a suitable candidate, or reluctance to separate cyber risk from the IT function. Two percent of respondents report into the CFO, while another two percent report to a different function within the business.

Four percent of companies responded that they have no CISO or equivalent role at their organisation.

These results suggest CISO maturity in the UK is still behind the US. The 2019 State of the CIO survey in the US found nearly a quarter of CISOs or equivalents reported to the CEO – 43 percent of CSOs, 18 percent of CISOs – with just 45 percent reporting to the CIO.

Dave Burg, Principal at EY Advisory Americas, told CSO that a structure where a CISO/CSO reports to a CIO can result in “over-leveraging towards cost management as opposed to risk management.”

Despite these results, CISOs remain confident about the future of the role.

“The technical CISO, the cyber individual who's hidden away in a dark room, those days have gone,” says Mark Parr, CISO at KPMG UK. “The role of the CISO is much more about helping the business and its people operate effectively and securely.

“This is a new era for the CSO, it's a fairly new appointment that for a long time was deemed just to be an IT or technology role, but actually, the reason I took this role is it's very much a senior leader in the organisation that is there to represent at that senior level.”

Outsourcing security roles on the up

The survey found that four percent of companies are outsourcing the role to a ‘virtual’ CISO (vCISO), 'CISO-as-a-Service', or other third party organisation - double the amount of last year.

Given that CISOs can be hard to acquire, rarely stay in a role for more than a couple of years, and often command large salaries due to high demand, vCISOs offer a cheaper alternative that often comes with a wealth of experience. 

A recent survey ESG survey of 267 cybersecurity professionals and Information Systems Security Association (ISSA) members found that nearly a third of respondents were currently acting as a virtual CISO for one or several organisations. Those that were performing this role said it appealed primarily because of the variety and flexibility it offers.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!