Published on the 12/07/2023 | Written by Heather Wright

Take a step to the left…

Fewer CISOs are reporting directly to the CEO now than a year ago, with more than a quarter of Australian CISOs now reporting to the CTO or senior engineering executive, as security ‘shifts left’.

That’s according to Heidrick & Struggles’ annual Global Chief Information Security Officer Survey, which also shows, unsurprisingly, that artificial intelligence and machine learning are seen as the most significant cyber risks.

The survey of 262 CISOs globally, included 39 in Australia. Most held global roles with their organisations and just over half of the Australian respondents had teams of less than 25 staff, though 10 percent had a team of more than 200.

“The number of CISOs reporting to the CIOs will continue to decrease as the CISO role takes a broader enterprise risk oversight role.”

It found the numbers of CISOs reporting to CEOs is declining – just five percent globally report directly to the CEO, down from eight percent in 2022 and 11 percent in 2021. Fewer are reporting to CIOs too, down from 38 percent last year to 36 percent, with the CTO or senior engineering executive gaining traction instead.

That’s something Heidrick & Struggles put down to the ‘shifting left’ of the role, from compliance into technology.

“We believe the number of CISOs reporting to the CIOs will continue to decrease as the CISO role takes a broader enterprise risk oversight role with direct ties to the audit committee and board.”

The findings highlight the changing roles and responsibilities of CISOs.

Matt Aiello, Heidrick & Struggles partner, says the increasing importance of cybersecurity is creating a significant shift in the role of the CISO as organisations face heightened professional and personal risk.

Two-thirds of the CISOs in the survey are now two levels down from the CEO, reporting to a role that reports directly to the CEO.

But while they might not be reporting to the CEO, they still have significant visible with the board, with 91 percent saying they present to the full board or a committee.

That’s something of a double-edged sword, however, with more than half of respondents believing their board only ‘somewhat’ or does ‘not at all’ have the knowledge or expertise to respond effectively to their presentations.

Unsurprisingly, AI was identified as the most significant threat in the next five years.

“It’s one of many threats that will require a constant and rapid evolution of the CISO’s skills and is part of a broader trend of the CISO role becoming more technical,” the report notes. “Specifically we are seeing a rise in the need for CISOs to understand software engineering and cloud security.”

That’s something Heidrick says tracks with the general ‘shifting left’ of security, with security measures, focus areas and implications occurring earlier in the lifecycle.

Geopolitical risks were ranked second, with cyberattacks, including ransomware, malware, insider threats and nation/state threats coming in third, considerably behind the AI/ML and geopolitical.

Ten percent viewed quantum as a significant threat, while perhaps surprisingly, just four percent thought supply chain presented a significant cyber risk.

The Australian CISOs were also reporting healthy cash compensation packages of $368,000. Average total compensation, including long-term incentives, was $586,000.