Roles of Chief Information Security Officer
2-3 paragraphs – Do you have an example of some companies to illustrate this trend?
The roles of Chief Information Security Officer (CISO) and other CS professionals are being viewed as more important
Due to substantial institutional changes brought about by increasing cyber risks, a key trend that is emerging is that of roles of CS specialists in organizations. A growing number of organizations are finding that there is a need to elevate and emphasize their roles. Consequently, CS specialists have higher formal authority positions and access to more resources.
CEOs and board often consult CISOs to understand cyber risk, implement appropriate security controls and promote a culture of defense. One study suggested that 90% of CISOs are connected directly to their organizations’ top leadership team, and half of them were on the leadership team[i].
In 2014, several Fortune 500 companies including JPMorgan Chase, PepsiCo, Cardinal Health, Deere and The United Services Automobile Association (USAA) were reported to be seeking CISOs and other security personnel[ii]. CISOs’ salaries have rocketed to a new level. Some large corporations were reported to hire CISOs with annual salaries in the US$500,000-US$700,000 range. It was also reported that compensation for CISOs at some technology companies was as high as US$2 million[iii]. Organizations are realizing that in order to retain them resources must be dedicated to care for and encourage the growth and development of existing cyber talent with training and continuing education opportunities[iv].
CISOs traditionally reported to the CIO or the CTO. For instance, in 1995, Stephen R. Katz became Citicorp’s CISO[v]. Katz was the banking industry’s first CISO. He reported to CTO of Citicorp[vi]. Some practitioners have recommended allowing CSOs and CISOs to present findings and strategies directly to the board instead of through some other C-level officers[vii]. Indeed, many of the newly hired CISOs are being told to report directly to the CEO and the board. A 2014 study by the CS firm, Threat Track found that 47% of CISOs reported directly to CEOs[viii]. In some cases, CISOs are also board members[ix]. This makes sense since CS is an issue that affects the entire company, not only the IT department.
The general trend thus is that CS specialists are transitioning to new broader and more dominant roles in organizations. A U.K.-based recruitment firm was reported to help a fast-moving consumer goods (FMCG) company select a global CISO. Out of the four candidates put forward by the recruitment firm, three had strong technical backgrounds. However, the candidate who was appointed was not selected for technical or specialist expertise. The newly hired person was expected to influence and build relationships at a high level, and unite disjointed areas of the organization[x].
New roles in organizations such as CISO or CSO are being defined and rationalized by corporate boards, CS professionals, legislatures, and regulatory agencies. Organizations, however, differ widely in terms of the power that CS professionals possess, and the amount of resources that these professionals have access to. For instance, compare Google and Yahoo. Google had adopted a new internal motto, “Never again” to signal its commitment and determination to stop perpetrators from hacking Google customers’ accounts[xi]. In order to strengthen CS, Google was reported to hire hundreds of CS specialists with “six-figure signing bonuses”. Yahoo lacked such determination. Yahoo’s current and former employees were reported to say that the company’s top management emphasized on the creation of a cleaner look for services such as Yahoo Mail and the development of new products over strengthening CS[xii].
[i] Sweeney, B. (2016). Cybersecurity Is Every Executive’s Job, September 13. Harvard Business Review. https://hbr.org/2016/09/cybersecurity-is-every-executives-job.
[ii] Damouni, N. (2014). Exclusive: U.S. companies seek cyber experts for top jobs, board seats, May 30. Reuters. http://www.reuters.com/article/us-usa-companies-cybersecurity-exclusive-idUSKBN0EA0BX20140530.
[iii] Damouni (2014)..
[iv] Hubbard, T. (2016). Why Cyber Attacks Remain A Challenge For U.S. Forbes. http://www.forbes.com/sites/kpmg/2016/10/12/why-cyber-attacks-remain-a-challenge-for-u-s/#ca9bfa216de8.
[v] Reavis, J. (2003). CSOinformer – Security wisdom ahead of the curve, May 13. SCOinformer. http://reavis.org/2003-05-full-informer.shtml.
[vi] Reavis, (2003).
[viii] ThreatTrackSecurity.com 2014. CISO Role Still in Flux: Despite Small Gains, CISOs Face an Uphill Battle in the C-Suite, www.ThreatTrackSecurity.com.
[ix] Shah, S. (2014). Salaries soar for cyber security high-flyers, June 27. Computing. http://www.computing.co.uk/ctg/analysis/2352505/salaries-soar-for-cyber-security-high-flyers.
[x] Shah (2014).
[xi] Perlroth, N. and Goel, V. (2016). Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say, September 28. The New York Times.
[xii] Perlroth and (2016).