Survey: CISO role evolving faster than paychecks grow

A survey of 830 CISOs finds many of them for better or worse are assuming more responsibilities without necessarily receiving any additional compensation.

Conducted by IANS Research and Artico Search, an executive recruitment firm, the survey finds up to a quarter of respondents have assumed responsibility for, for example, IT operations, change management, data governance, artificial intelligence (AI) or digital business transformation. In total, 15% of respondents noted that their organization now has a dual CISO/CIO position.

However, raises brought on by the assumption of additional responsibilities are rare. Only 3% of CISOs attributed their most recent raises to taking on larger roles, with the average wage growth being 13%. The majority of CISOs (70%), in comparison indicated their raises were annual merit increases, averaging 6%.

Overall, 39% of respondents have some type of executive-level title, with just under half of respondents (47%) reporting they engage the board of directors of their organization monthly or quarterly.

While CISOs may not be seeing the size of their paychecks increase as they assume more responsibility, the trend itself is already inexorable. As more organizations realize that cybersecurity concerns need to be addressed across every business process, they are increasing the scope of the CISO job definition. That may naturally leave CISOs feeling somewhat conflicted but if the alternative is to not be included in broader decisions that impact cybersecurity, there is only one real option. Arguably, the only way to succeed as a CISO in the modern era is to be involved as deeply as possible into business workflows rather than trying to bolt cybersecurity processes on to them after they have already been defined.

The challenge, of course, is that as cyberattacks increase in volume and sophistication many CISOs are trying to divert more resources to analyzing threats. One way to achieve that goal is to shift more responsibility for managing security operations (SecOps), such as updating firewalls, to an IT team. As that level of convergence increases, however, it’s not going to be long before the leadership within an organization debates the degree to which the CIO and CISO roles should be unified.

As financially tempting as that be, however, the convergence of those roles can easily lead to a situation where there isn’t any independent cybersecurity review of the IT processes being employed. In effect, the IT team winds up guarding the hen house it lovingly built versus relying more on a third-party opinion to determine just how robust the security being applied really is.

Each organization will need to determine for itself what level of tradeoff it might be willing to make but there is no free pass. There will always be a need to ensure that the budget dollars allocated to cybersecurity are spent as efficiently as possible but there does inevitably come a point when less is simply worse. In fact, given the total potential cost of a cybersecurity breach, spending less on cybersecurity can easily wind up being just another instance of being penny wise and pound foolish. The real issue, as always, is making sure cybersecurity is deeply embedded in a way that, hopefully, keeps the actual number of actual cybersecurity incidents encountered to the barest minimum possible.