Andrew Jenkins, Principal in the CIO & Technology Officers Practice at Odgers Berndtson, reflects on some of the key developments for CISOs in 2021 and explores how the role of the Chief Information Security Officer (CISO) is changing alongside Digital Transformation demands.
In 2020, CISOs were among the first C-level executives to scramble early and ensure their organisations remained operational during the early days of COVID-19. Their contributions cemented them as one of the most important positions on leadership teams. During 2021, their role claimed even more of the limelight, as remote and hybrid working became the norm and digital technologies became so much more prevalent.
Although they have always played a critical role in organisations, the CISO really rose to prominence during 2021. This has led to a repositioning of the role, with many organisations now preferring their CISO to report directly to the CEO. As a result of this increased leadership capacity and a growing appetite among organisations for information security leadership, CISO salaries have risen exponentially. What’s more, organisations now expect their CISOs to play a role in the diversity agenda, leading to a growing demand for CISOs with inclusion and diversity experience. Below, I outline these trends in full, reviewing some of the key developments for CISOs in 2021.
Repositioning of the CISO role
Historically, a CISO would report to a Chief Technology Officer (CTO). Technology and Digital Transformation have often taken priority over security, and as a result, boards have tended to appoint CIOs/CTOs and only hired CISOs underneath them when their security or regulatory needs really demanded it.
This has created some conflict. In this position, the CIO/CTO has the final word on the technology and security budget. They can – and do – end up allocating more of that budget for large technology projects at the expense of security. But as the digital attack landscape has grown, so too has the need for cybersecurity and data protection. Regulators are also increasingly aware of any perceived conflicts of interest created by this reporting line and have put pressure on organisations to address it. Over the past year, this need has seen many boards reposition their CISOs so that they have a greater capacity to influence the security agenda within their organisations. It’s led to more and more CISOs reporting to Chief Operating Officers, Chief Risk Officers, or directly to CEOs.
A growing need for diversity credentials
Over the past couple of years, inclusion and diversity (I&D) have become a critical priority for boards, if not the priority for boards. It’s meant that all C-suite leaders, including the CISO, now need experience and expertise in inclusion and diversity.
During 2021, boards made I&D a core requirement when considering new CISO appointments. CISO candidates have needed to give clear examples of hiring or mentoring diverse talent within their own teams, or at the very least, how they’ve played a meaningful role in an organisation’s diversity agenda. They’ve needed to demonstrate why it’s important to them personally and what they believe the benefits of strong I&D are within a business environment. Almost all interviews for new CISO positions in 2021 required a strong performance in answering these questions. Going forward, a competency with I&D will be a necessity for prospective CISOs.
Cybersecurity has become an existential threat for numerous organisations, with many viewing it as their Achilles’ heel. As remote and hybrid working have become the norm, the apparent risk has heightened among boards and senior leadership teams. Employees working from home, using multiple devices, and in many cases, personal devices, has led to many leaders feeling as if their digital vulnerabilities have increased. Because of this, the premium for CISOs has increased considerably. In fact, a report from DHI Group found that cybersecurity salaries were the fastest growing salaries in tech during 2021. Throughout the past year, many organisations have been prepared to give generous pay packages for talented CISOs.
While this has been fantastic news for the CISO community, this trend may not last. More and more organisations are adopting cloud technology, moving their data and infrastructure into cloud-based systems provided by the likes of Amazon, Microsoft and Google. Where this is the case, much of the enterprise security remit will transition to these large tech companies. This could signal a shift in the skills requirements for CISOs, with the need for technical skillsets eventually waning. Long-term, it may see boards question CISO salary expectations and require CISOs to provide more evidence of their value to businesses. Only time will tell.Click below to share this article