As we step into 2024, the role of Chief Information Security Officers (CISOs) is under the spotlight, with predictions suggesting that this year could be dubbed “the year of the CISO” for reasons less celebratory. Legal complexities, compliance demands, heightened board-level scrutiny, and persistent job stress are expected to make 2024 an arduous year for CISOs, prompting some to contemplate abandoning ship for a more serene career path.
The assessment, originally proposed at the close of the previous year, has garnered significant feedback from the cybersecurity community, particularly from CISOs who resonate with the projected challenges. Seeking to bolster the claim with data, insights were drawn from the Life and Times of Cybersecurity Professionals v6 research conducted by ESG and the Information Systems Security Association (ISSA) International.
According to the research findings, a substantial 63% of cybersecurity professionals perceive their roles as more challenging now than two years ago. Similarly, 62% of CISOs echo this sentiment, with 32% of them asserting that the challenges have significantly escalated, compared to 26% of their non-CISO counterparts.
Delving into the reasons behind the growing difficulty for CISOs, the ESG/ISSA data underscores that managing the business aspects of cybersecurity programs, including interactions with the board, regulatory compliance oversight, and budget management, are major contributing factors. This shift is aligned with the evolving nature of the CISO role, transforming from a purely technical overseer to a strategic business executive. Simultaneously, organizations are increasingly relying on IT for various functions, further amplifying the complexities faced by CISOs.
Despite these mounting challenges, an overwhelming 82% of CISOs express satisfaction with their current roles, slightly surpassing the satisfaction levels of non-CISO respondents at 79%. The seniority of CISOs may play a role in their ability to manage stress, navigate career trajectories, and align expectations more effectively than their counterparts in the cybersecurity realm.
Interestingly, the criteria for job fulfillment differ between CISOs and other cybersecurity professionals. CISOs find satisfaction in the commitment of business management to cybersecurity, close collaboration with business units, and competitive salaries. Conversely, non-CISOs derive satisfaction from organizational opportunities for career advancement.
However, the data also sheds light on the significant on-the-job stress experienced by CISOs, with 62% acknowledging that their roles induce stress at least half of the time. This stress is attributed to factors such as an overwhelming workload, disengaged business managers, and the challenges of meeting security requirements for new business initiatives. Notably, 36% of CISOs express a likelihood of leaving their current positions within the next year, emphasizing the toll of the role.
The research emphasizes the critical importance of third-party relationships, a stress point for 26% of CISOs, as these connections are integral to business processes. The lack of continuous oversight into the security performance of these third parties adds to CISOs’ concerns.
A crucial takeaway is the potential impact of CISO attrition on organizations, leading to disruptions, competition for replacements, and heightened cyber-risk during transitional periods. The research urges CEOs and corporate boards to reevaluate their approach to the CISO role, considering not only performance metrics but also factors like relationships, reporting structures, resources, workloads, and the mental well-being of CISOs.
In conclusion, the ESG/ISSA research signals that the balancing act for CISOs is becoming more challenging, requiring a nuanced approach from executives and boards to retain and optimize the effectiveness of these cybersecurity leaders.
