As the global pandemic forced organizational employees to work from home, this created a new set of challenges for CISOs. For starters, CISOs have had to double down on security training with remote employees, particularly as phishing and other attacks have risen dramatically.
They’ve also had to think innovatively as the concept of an organizational perimeter has been eradicated.
Given these and other cybersecurity trends, it’s fitting that HMG Strategy recently connected with Michael Piacente, Co-Founder and Managing Partner at Hitch Partners, a retained executive search firm in the San Francisco Bay Area that specializes placing executives in mission-critical leadership roles in security.
Hitch Partners recently published a survey of 350+ cybersecurity leaders from across different industries in the U.S. The goal of the survey was to provide CISOs an insight into the top challenges and opportunities facing their peers.
Here’s what Michael Piacente had to share regarding the survey results and the key insights that were gleaned from the study:
HMG Strategy: What are CISOs most concerned about now?
Michael Piacente: One of the big issues is around the CISO reporting structure. It’s striking to see how many different structures there are in the landscope today. For example, to start the year off we were managing 9 separate CISO search projects of which 8 were reporting to a different C-level executive in those companies. While more than 40% of CISOs still report to the CIO we are seeing this trend on the decline; not only within smaller companies but also with enterprises.
Another somewhat related trend is how the CISO’s reporting structure determines whether the CISO communicates directly with cadence with the Board. The majority of CISOs today regardless of company size do not consistently report to the Board. There’s some exposure but not regular exposure. We were beggning to see this change prior to COVID and now it has been accelerated.
A third trend that is surfacing includes IT responsibilities falling under CISOs in mostly younger companies. These companies are not only hiring CISOs prior to their CIO but they are also placing IT operations responsibility under the CISO. Again, we are only seeing this for smaller companies whereas companies with 5,000+ employees have less than 25% of CISOs overseeing IT.
Some CISOs will argue that they should be reporting to the CEO, given the importance of cybersecurity and risk for the organization. Others have suggested that a CISO should report to the Chief Risk Officer for those organizations that have one.
MP: The structures will continue to vary. We find that the correct reporting structure tends to be the executive that is the most engaged and able to ensure impact for the security program. In the case of the reporting structure to the CEO, it really does depend on the CEO. Mentorship and availability play into it. For instance, it may not be feasible for a CEO to be the best option if that CEO is overloaded with direct reports and travel or both.
Yes, we are seeing more Chief Risk Officers and GCs taking on additional security reporting responsibilities. Like CISOs, these executives tend to have a unique view of the business risks to an organization from a people, process, and technology perspective.
Did you compile statistics regarding the percentage of CISOs who indicated they would explore new opportunities due to a lack of sponsorship?
MP: We were pretty surprised to see that close to 70% of CISOs felt they were being fairly compensated; the key issue is around lack of sponsorship and positioning of the security program. This includes the status of the CISO within the organization and their level in the C-suite. Essentially being able to influence the positioning of the security program within the organization is critical and is the primary reason that CISOs decide to stay longer or depart.
Many CISOs in the study cite that they’re not active participants in executive management decisions. So are CISOs effectively members of the C-suite but without any clout?
MP: That’s a great question. Many felt they were positioned by their HR structures as having a seat at the table however in reality they more often had very little executive facetime and communicated business risk through other C-suite executives. We found that most CISOs present to the board each quarter but only for the portion of the time they had been scheduled. In our searches, candidates are continually seeking a greater ability to influence and impact at the Executive and Board level.
You’ve found that the average tenure for a CISO is 2 years, 7 months. Is there a general feeling among CISOs that they want to see their tenures extended? Are there other trends you are seeing?
MP: Yes, they certainly want to see longer tenures. In this most recent report, we have seen the tenure for CISOs come down a bit but we are also not quite done analyzing the data.
In some smaller companies, CISOs are looking for greater protection from an eventual compromise event. We have seen some candidates ask for advice on how to position themselves to be covered financially in these situations. Some even seek to be included on the company’s Directors & Officers (D&O) insurance policies.
Did the survey explore burnout, which is prevalent among CISOs and security professionals?
MP: No, that was not specifically covered in this version of the report. This is certainly an area we will focus for future versions. It is a very important topic and worthy of a separate study.
Any additional thoughts?
MP: We believe we are on the verge of a golden age for CISOs; their influence, scope, standing with the C-suite, and overall communication impact have all elevated during COVID.
I would point out that the C-suite leaders should understand when hiring that there are two distinct communities of CISOs in the market today; one is a comprehensive IT-oriented information security leader with governance experience leader and the other is an engineering-oriented CISO with a heavy emphasis on cloud software product security. While many of the skills overlap there are distinct differences. More importantly, CISO hiring is on the rise and companies should know that they are unlikely to receive everything in one package. On the candidate side to enhance their marketability we would certainly recommend that all Security leaders cross train in these respective areas.
To access the Hitch Partners 2020 CISO Survey results, click here and enter hitch2020 as the password.
Michael Piacente will be speaking at HMG Strategy’s upcoming HMG Live! Silicon Valley CIO Virtual Summit on July 2. To learn more about the event and to register, click here.