Over the past decade, the role of the CISO has evolved to keep pace with today’s dynamic threat and regulatory environment. Cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. This has impacted how CISOs are viewed within the organization, as well as their typical reporting structure. It has also redefined the skills and backgrounds that determine who will be hired in those roles, and, perhaps more importantly, who will succeed.
I spend a lot of time analyzing how the role of the CISO is evolving. I have worked in close partnership with Paul Calatayud, CSO at Palo Alto Networks and my colleague Jamey Cummings, a fellow co-leader of the Cybersecurity Center of Expertise at Korn Ferry. Here are some of our findings that were adapted from this article.
The new dynamic in cybersecurity has made the CISO far more visible and accountable in organizations. When Korn Ferry researchers analyzed data from a work analysis exercise given to executives, the results showed that 80% of CISOs said their jobs had a very high-profile orientation for both visibility and accountability. This was nearly double the percentage of other same-level managers surveyed.
Beyond that, there were two other critical areas where CISOs expressed a higher requirement than their counterparts across the organization. Those were:
- Long-term strategic vision
- Implementing new initiatives
These findings suggest that organizations need cybersecurity leaders with skills that go well beyond technical expertise. Technical knowledge is still essential, but today’s CISOs need to be able to think outside the box, dig deeply into issues, exercise seasoned business judgment, exert influence at the board and C-level suites, and be a credible business partner.
According to our research at Korn Ferry, CISOs also need a different “motivational makeup” because “the most effective leaders are those who seek high visibility and accountability and strive to be agents of change.”
The higher levels of visibility and accountability have also affected where CISOs fit in within the overall organization as well as their reporting structures. Korn Ferry’s research shows a shift in reporting relationships. While many continue to report to a CIO, many more CISOs are now reporting to the head of risk management, a general counsel, the company’s president or the COO.
As noted in our most recent report: “Because the CISO has moved from the back-of-the-house operations to a key public-facing figure relied upon heavily by others in the C-suite, gone are the days when someone who is a brilliant technology expert but lacks business and relationship acumen can make it at the top ranks of the cybersecurity role.”
In today’s world, an ideal CISO has to keep up with the breakneck speed of technological change, while also having a strong aptitude for leading courageously, moving nimbly and understanding the right level of risk to make an organization safe—while still innovating.
Where will organizations find these rare individuals? See part two of our series: Archetypes of the Modern CISO.
View the full report that outlines what’s ahead for CISO leaders.