IT leaders hiring CISOs aplenty, but don’t fully understand the role

Most businesses now have a CISO, but perceptions of what CISOs are supposed to do, and confusion over the value they offer, may be holding back harmonious relations, according to a report

IT leaders across the UK and Ireland are increasingly aware of the value dedicated chief information security officers (CISOs) can offer their organisations, and 73% now say they have filled that role, a 35% increase year-on-year, with 15% planning to hire between now and 2026.

However, according to new data published today by edge cloud platform operator Fastly, IT leaders still don’t fully understand the role of the CISO. While 35% now believe CISOs are crucial to keep businesses safe from cyber threats, 27% said they were essentially there to act as a scapegoat in difficult situations.

A similar number, 23%, felt CISOs were being given too much legal and operational responsibility, potentially setting up a clash with other departments, and 39% believed they needed to have an in-depth understanding of all areas of IT, not just cyber security, although this was down from 2022.

Additionally, 24% believed CISOs were both overworked and underpaid, but 18% believed the role offered poor value for money.

“Facing – and trying to plan for – unprecedented cyber security challenges in 2024, UK businesses have consolidated efforts to hire a professional able to take charge of cyber security strategy,” said Fastly CISO Marshall Erwin. “Though, our data suggests there still exists confusion over what the role of the CISO actually entails. This disparity of opinion highlights how the role has evolved in recent years, particularly with challenges to organisations’ security postures and growing threat landscape.”

He said that traditionally, CISOs had been confined to IT and risk management, but perception of the role is now breaking out, with security leaders coming to be seen as business leaders responsible for the strategic direction of business cyber strategies – which may be where the lack of understanding arises.

“Within two years, the majority of UK and Irish businesses will have filled the CISO role,” said Erwin. “For them to work effectively, there is clearly a need for organisations to develop greater understanding of the role amongst IT departments.”

Perennial issue

Disconnects between what CISOs actually do and what their organisations expect of them have become a perennial issue as the prominence of the role increases, with communication between security leaders and other, less knowledgeable parts of the business – particularly company boards – a frequent blocker to more understanding.

Another recent report compiled by Ninjio, a cyber training, testing and reporting specialist, laid out three key steps for CISOs to take to seize the initiative and try to bridge this gap by enhancing security education.

Ninjio’s data revealed that 58% of CISOs were struggling to communicate technical language in a way senior leadership could understand, so the first step to remedy this is to present essential cyber concepts in intelligible language. In particular, CISOs can lean on the real-world consequences of cyber attacks, leaning on financial costs, the threat of lost customers, damage to brand reputation and so on.

Given nearly 75% of successful breaches involve a human element, CISOs should also try to take advantage of cyber security assessment tools (CSATs), deploying them strategically to show business leaders – and regular employees as well – what tactics may be used on them by threat actors, and empower them to do more off their own backs.

The third step is to prioritise accountability to build sustainable support for security in the organisation. Since the threat landscape is constantly evolving, security awareness cannot be treated as a box-ticking exercise, and many people on the receiving end are liable to quickly forget what they have learned. Constant reinforcement, and testing, may help to address this.

“The ultimate goal of any cyber security awareness programme is to establish a culture of cyber security,” said Ninjio CEO Shaun McAlmont. “From my experience as an executive leader in the education and security industries, I’ve learned two important aspects of getting buy-in at the board level: clearly articulate the end goal, then explain how progress and success is measured.

“We’ve seen a recent uptick in boards prioritising the overall safety of their companies; and as they increase their investments in cyber security, it’s the CISO’s job to help them put resources to the best possible use,” he said.

Read more about the CISO role

Read more on IT risk management

Data Center
Data Management