The role of the CISO, which not long ago would have been regarded as a novelty, has increased in importance as businesses have digitalized and cybersecurity has become a significant concern to virtually every organization, according to a recent report from Forbes. The CISO is tasked with looking to the future as a member of the business’s strategic senior or leadership team. At the same time, they must work in close collaboration with members of the C-suite (often the chief information officer), to design an information security program to safeguard organizational data and systems, and maintain a rigorous level of vigilance for the possibility of external cyber attack. The support of the senior leadership team and internal recognition of the unusually acute pressures on the role are essential, according to a new report from Altrata. The report leverages data from BoardEx and Boardroom Insiders.
Who are the leading Fortune 500 CISOs of today and what are their characteristics as a group? Here Altrata looks at this cohort of individuals, examining their demographics, personal interests, professional experience and educational backgrounds.
Gender and Age
In common with leadership positions, the report found that gender imbalance in the role remains substantial, with only 16 percent of CISO positions currently held by women. This is better than the 10 percent share of female Fortune 500 CEOs, but almost on a par with that of CFOs, of whom women account for around 18 percent at Fortune 500 companies. “To increase the number of female CISOs, organizations will likely need to provide greater internal support and change their recruitment and career development practices for managers and people of influence,” the Altrata study said.
The average age of a Fortune 500 CISO is 52 years. This is younger than the average age (56) of the Fortune 500 leadership team (the C-suite) as a whole. “The CISO role is not typically included in the leadership team, which may explain the younger average age,” the report said. “However, it might also reflect a younger demographic among CISOs, who have gained their experience in more nascent technology fields. There is also a lack of publicly available data in this regard as CISOs tend to be substantially less visible than most members of the leadership team, often by design.”
Experience and Backgrounds
Altrata found that many CISO have previously held a senior role on a board, leadership team or as part of senior management. In fact, around half of current Fortune 500 CISOs (51 percent) have held senior roles in technology at some stage in their careers. The fact that not all CISOs have accrued senior-level experience is likely due to the more recent recognition of the role’s importance. Senior roles in finance come a distant second (at 11 percent), indicating the added value of financial know-how in cybersecurity planning. Government experience (eight percent) is the only other category with a share greater than three percent, indicating the significance of regulatory knowledge and experience to the CISO role.
Interestingly, around 15 percent of Fortune 500 CISOs are employed in consultancy or advisory roles (sometimes under the “CISO-as-a-service” model), overwhelmingly by privately owned companies (93 percent), indicating the high current levels of concern around cybersecurity issues. In contrast, when C-suite leaders do act as advisors, this tends to be to charities, clubs and educational organizations rather than the private sector (often to avoid conflicts of interest).
It is apparent that military and government experience provide a strong background for cybersecurity leadership. The U.S. Navy, Army and Air Force all feature on the list of previous employers, as does the U.S. Department of Defense. In addition, many well-known consulting companies, such as PwC, EY, Booz Allen Hamilton and the technology-focused IBM, count today’s Fortune 500 CISOs among their former staff. Finance employers, such as Citigroup and JPMorgan Chase, are demonstrate that a strong grasp of the budgetary implications of digitalization and major enhancements to cybersecurity programs at large complex organizations carries significant weight in positioning candidates for the CISO role.
CISOs have a markedly different set of educational alma maters than senior executives in the leadership team, according to the Altrata report. In fact, not one of the top 15 universities for S&P 500 C-suite executives features on our list for CISOs. Common universities attended by current CISOs are Arizona State, the University of Maryland, College Park and George Washington, which all have highly rated cybersecurity programs. The U.S. Military Academy at West Point also features, again underlining the connection between military training and cybersecurity leadership.
Leading Strategic Priorities
The CISO is under competing pressure to support innovation and corporate progress while protecting their organization from constantly evolving cyber threats. In 2022, Latha Maripuri, CISO at Uber, said: “Redefining the strategic priorities for a modern CISO means focusing on several emerging responsibilities: partnerships, collaboration, innovation, and preparing for the future.”
A number of other areas also carry specific weight with today’s executives. Automation, for example, is creeping up the agenda for CISOs. Bret Arsenault, CISO at Microsoft, said that the: “shortest resource I have is human capital.” Mr. Arsenault sees his role as moving towards the more efficient use of those resources through technology. In February this year, Doug McMillon, president and CEO of Walmart, emphasized the ability of CISO-supervised technological advancement to combat adverse economic conditions and take advantage of an uplift when it comes. “These and other priorities mirror the range of pressures and demands on the CISO and give a clear insight into how individuals are approaching the job,” the Altrata report said.
Innovation is the strongest imperative for CISOs in current market conditions, with 55 percent of respondents focusing on this, almost 20 percentage points above the second highest priority. “What is clear about the cybersecurity environment is that, perhaps more than any other aspect of digitalized business, it is evolving constantly and at speed,” the report said.
“Everybody is on this journey, figuring out what they need to do and how fast they need to do it,” said Amanda Cody, CISO at Booz Allen Hamilton. “We’re in the cybersecurity space across industries. What do we need to do to support and enable a resilient business?”
While this oppositional, competitive aspect to cybersecurity innovation is a significant source of pressure for CISOs, it is also part of what makes the job interesting and professionally rewarding, according to the Altrata report. The CISOs who succeed in the role (and, by definition, succeed in innovating effectively) thrive in the fast-moving, technologically evolving environment, seeing it as a significant professional learning opportunity.
“Nevertheless, the relentless pressure to be at the forefront of cybersecurity awareness cannot be dismissed lightly,” the report said. “Companies are continually seeking to enhance their security measures and regulatory standards are increasingly strict and intricate. CISOs are tasked with finding the best fit for their organization in terms of new technology while making it watertight in terms of data use.”
Contributed by Scott A. Scanlon, Editor-in-Chief; and Dale M. Zupsansky, Managing Editor – Hunt Scanlon Media
This was first published on Hunt Scanlon on October 24, 2023. See the original article here.