Talk about a plot twist: Eighty-six percent of CISOs say their role has changed so much that it’s practically a different job than when they first started.
Throughout my career as a CISO, I've witnessed transformational change in the cybersecurity landscape, so it’s not surprising to me that the security leaders forging the path ahead are juggling a whole new set of responsibilities now. To understand the dynamic challenges and opportunities of the CISO role, a team of us at Splunk gathered the insights of hundreds of CISOs, CSOs and other executive security leaders: surveying 350 people and conducting in-depth interviews with 20 people.
The research is published today as The CISO Report, authored by Ryan Kovar, distinguished security strategist of SURGe fame, and Kirsty Paine, field CTO and strategic advisor for EMEA. They sought to understand what it’s like to be a CISO today, from the problems keeping them up at night to the steps they’re taking to expand cross-team collaboration.
I was surprised to learn that across the board, 47% of CISOs report to the CEO, which gives them an unprecedented opportunity to advocate for strengthening the security posture of their organizations. I’ve experienced the impact that educating the board can make, whether it’s about cybersecurity needs within the business or necessary investments to help the organization better withstand cyber risks and attacks. Greater influence of CISOs among the C-suite bodes well for organizations everywhere. There is some variance among industries, however. According to our research, while financial services lagged in terms of the percentage that report to the CEO (34%), an unexpected 84% in healthcare do so.
As CISOs talk more to the CEO, CFO and others in the executive suite, they discovered those leaders care about different KPIs and security metrics today than they did two years ago. I can tell you that in my current and past CISO roles, aligning on these metrics can provide extra job security and influence funding for cybersecurity investments. In our survey, CISOs ranked ROI of security investment as the most important cybersecurity success factor with results of security testing a close second. I’d also add that metrics that determine the maturity of a security program (per the NIST cybersecurity framework) are also key, and they very much have to do with ROI on investments. If the investments boost the maturity of an organization’s cybersecurity program, that’s a quantified outcome right there.
As for the state of cyber defense, the research revealed that 83% of survey respondents paid attackers in the wake of a ransomware attack. I’ve worked with many CEOs, and I know a CEO will pay for a ransom over a loss of revenue any day of the week. Beyond ransomware, cyberattacks haven’t slowed down, as 90% of CISOs report their organization experienced at least one disruptive attack last year. This is tough, especially when you’re trying to obtain cyber insurance. Because breaches are so common, insurance prices are skyrocketing — to buy cyber insurance will cost you something just shy of having to surrender your firstborn, but close enough.
That’s just a brief snapshot of what we learned from The CISO Report, which validated and challenged some of my personal experiences as a CISO. There’s more on how AI will shape cyber defense, how organizations are building a culture of resilience and how organizations will increase cybersecurity investments.
Download the report for a complete analysis, including industry and regional highlights.