Most CISOs Believe They're on Track to Become CEOs

Written by

The role of chief information security officer (CISO) is being treated with newfound respect, according to research by a security solutions integrator.

Optiv Security's State of the CISO survey questioned 100 CISOs in the US and 100 CISOs in the UK to discover how the role is currently perceived within the traditional business hierarchy. 

The results, published today, show that 96% of respondents think that senior executives have a better understanding of cybersecurity than they did five years ago, and 67% said the business they worked for prioritized cybersecurity above all other business considerations. 

Interestingly, 58% of CISOs reported that their job prospects had improved after they experienced a data breach. In fact, most respondents thought that the career path of a CISO was today more illustrious than ever. 

Of the CISOs surveyed, 76% felt that cybersecurity risk was now so important to businesses that CISOs would start being promoted to the role of CEO. Not bad for a relatively new role in the corporate executive hierarchy.

"The Chief Information Security Officer has traditionally reported to the CIO because the job has been regarded as primarily technical. However, the current epidemic of breaches coupled with privacy regulations like the GDPR and CCPA has made cybersecurity a tier-1 business risk," wrote researchers for Optiv. 

According to Optiv’s practice director of risk management & transformation, Mark Adams, CISOs have many qualities that would make them great in the role of CEO. He said: "The CISO exhibits a mastery of negotiation by actively listening and applying the disciplines of consensus-building among his peers and subordinates. The effective CISO thinks more strategically than tactically, planning for the long term and what organizational conditions must be managed to achieve success."

But before CISOs ascend the ranks they have some serious work to do, especially in the US, which the research shows lags behind the UK when it comes to practicing what to do in the event of a cyber-attack.

Adams said: "UK-based organizations report a significantly higher frequency of rehearsing their incident response plans. It is a bit surprising that 36% of US-based companies reported exercising their plans less than once per year, particularly given the adverse impact that perceived negligence can have on the brand/reputation of the organization."

What’s hot on Infosecurity Magazine?