Why 2024 will be the year of the CISO

The year 2023 has been difficult for CISOs.

• In May, former Uber CISO, Joe Sullivan, was sentenced to serve three years’ probation and pay a $50,000 fine. Sullivan failed to disclose a data breach and paid off hackers to remain silent. Sullivan has appealed the conviction.
• In October, Tim Brown, CISO at SolarWinds, was charged by the US Securities and Exchange Commission (SEC). Brown is accused of fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. According to the SEC statement, “The complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”
• In December, Steve Katz, purported to be the world’s first CISO, passed away. Katz first assumed the CISO role at Citicorp in 1995 and then went on to work at JP Morgan and Merrill Lynch. According to an article from bankinfosecurity, Katz “spent the bulk of his retirement advocating for cybersecurity standards, information sharing, and effective leadership.”

Aside from the experiences of these individuals, CISOs also faced a wave of new regulations in 2023 with even more coming next year. New SEC cybersecurity rules call for mandatory cyber-incident reporting for all US-listed companies. Domestic issuers must disclose material cybersecurity incidents within four days and disclose material cybersecurity incidents in Form 8-K filings. Private foreign issuers must submit Form 6-K filings to disclose material cyber-incidents. Organizations must also have cybersecurity expertise on their boards, a documented risk management program, and specific cybersecurity leadership.

Financial services firms also face changes to New York State Department of Financial Services 23 NYCRR 500, including new requirements for larger companies, expanded governance requirements for boards, expanded cyber incident notice, new requirements for incident response and business continuity planning, and additional multifactor authentication requirements.

In Europe, NIS2 takes effect in October 2024. While NIS1 covered critical industries like healthcare, energy, transport, digital infrastructure, or financial market infrastructures, NIS2 expands industries affected to include the food sector (production, processing, and distribution), social networking services platforms, cloud computing services and data centers. NIS2 focuses on four primary areas: risk management, corporate accountability, reporting obligations, and business continuity. At a more granular level, NIS2 impacts policies and procedures for the use of cryptography, vulnerability management programs, employee access to sensitive data, multi-factor authentication, evaluating security technology efficacy, employee training, and securing their supply chain.

CISOs struggling with new legal, regulatory challenges

How are CISOs coping with this bong hit of legal scrutiny and regulatory oversight? Not well. According to recent research from ESG and the Information Systems Security Association (ISSA), 62% of CISOs surveyed claim that their job is stressful at least half the time. CISOs are particularly stressed by things like an overwhelming workload, working with disinterested business managers, and keeping up with the security requirements of new business initiatives Furthermore, 36% of CISOs say it is very likely or likely that they will leave their current job within the next year, compared with 26% of non-CISOs. Many (46%) have considered leaving cybersecurity altogether, compared with 28% of non-CISOs.

Why would CISOs move on from cybersecurity? Sixty-five percent say they have considered an exit due to the high stress associated with a cybersecurity job, 43% claim they are frustrated because their organization doesn’t take cybersecurity seriously, and 39% say they are close to retirement age and will leave the cybersecurity profession upon retirement.

2024 a year of change for CISOs

Given the stress on and increasing scrutiny of the position, I believe 2024 will be the year of the CISO. To be clear, I’m not suggesting some, ‘hooray for the CISO,’ ceremonial platitude. I’m saying that individual organizations and the business world at large will scrutinize, experiment with, and ultimately modify the CISO role in 2024, more so than at any time in the past.

Here are five predictions for what happens next year:

1. There will be an acute shortage of CISOs available for hire. As the ESG/ISSA research indicates, many fed-up CISOs will retire, while others will move on to become virtual CISOs (vCISOs) or take field CISO positions with security technology vendors. We’ll read numerous stories next year about CISOs up and quitting on the spur of the moment. While the reasons won’t be disclosed, you can bet they are among those cited above. Competition for qualified candidates will be fierce. On a side note, I don’t believe there is a significant population of next-generation CISO candidates with the right experience to step up. In 2024, we will augment our general discussion of the global cybersecurity skills shortage with a specific addendum about the CISO shortage.
2. CISO pay and compensation will rise precipitously. Aside from a handful of $1 million positions, CISOs aren’t paid nearly as much as one might assume. Salary.com calculates a median salary of about $241,000 with 90% of CISOs making $302,000 or less. Given the job requirements (long hours, stress, being on-call, etc.), this isn’t very much. With the competition for candidates, firms will greatly increase base pay, perks, and bonuses, leading to hyper CISO salary inflation. Oh, and with the legal wranglings in the industry, CISOs will demand that compensation contain adequate director and officer (D&O) insurance.
3. There will be more scrutiny around CISO equity and bonuses. While we hope CISOs stick to the moral high ground, some may be tempted to stray if compensation is skewed by their equity positions. Yup, disclosing a data breach or excessive cyber risk may be the right thing to do, but it may also undercut that new boat purchase the CISO has been planning for. Yes, CISOs should be team players and benefit when their organizations prosper, but their compensation should be tied to strong risk management, security efficacy, operational efficiency, and business enablement, not a random walk down Wall Street.
4. More CISOs will report to the CEO. The ESG/ISSA research indicates that nearly half (49%) of CISOs report to the CIO or another senior IT person, while 24% report directly to the CEO. Those reporting to the CEO tended to work at smaller organizations. In 2024, CISOs will lobby for and drive a change in reporting structure, due to overall legal and regulatory concerns. New CISOs will eschew job offers where they report to IT. CISOs will also want to create cybersecurity committees and report directly to the board on cyber-risk management and regulatory compliance.
5. CISOs will demand better incident response planning. CISO won’t tolerate ‘checkbox’ preparation when it comes to these new regulations. Rather, they will demand tabletop exercises, penetration testing, red teaming, IR retainers, and cyber insurance coverage. They will scrutinize escalation processes, internal/external communications, and the individual roles and responsibilities of business management. Again, these activities should be commonplace but are often minimized. The cybersecurity buck should stop at the CISO’s desk, but no CISO will endure being a legal scapegoat.

CISOs will also want more input into what’s reported to the public. Boilerplate legalese won’t be tolerated. Rather, CISOs will want to err on the side of transparency. When challenged on this point, CISOs will head for the exit.

Splitting up the CISO role

Recognizing the difficulty of the position, I proposed a few years ago that the CISO role be bifurcated. I suggested two roles:

1. A business-focused executive focused on risk management and regulatory compliance, and
2. A technically focused executive focused on threat prevention, detection, and response.

The former should report to the CEO and board; the latter should have a dotted line to the former while reporting directly to the CIO. Given the angst around the position, these dual roles may become a reality in 2024.