Published on the 04/10/2022 | Written by Heather Wright
Hurdles to board aspirations…
The need for cybersecurity experience on boards has been highlighted for some time now, but it’s not flowing through to reality according to CISOs who, while bullish for board roles, are still facing hurdles in their boardroom aspirations.
The 2022 Global Chief Information Security Officer Survey by Heidrick & Struggles shows despite an increased focus and investment in cybersecurity, as evidenced by growing compensation and team size and evolving reporting relationships, board memberships for the CISOs still isn’t happening.
“Cybersecurity is becoming more embedded in core software development and business processes.”
The report – which focuses on the top end of town with more than two-thirds of the 300+ surveyed being at companies with annual revenue of US$500 billion or more – shows when it comes to the ideal next role, CISOs around the world are eyeing up the board. That’s true too in APAC (A/NZ figures aren’t broken out) where 44 percent of CISOs want to be a board member, versus 56 percent in the Americas and 40 percent in Europe.
But, Heidrick & Struggles says there’s a wrinkle for CISOs’ board plans with many boards wanting members with prior board experience.
Earlier this year the Governance Institute of Australia released a report which found that more than half of all respondents had few, if any, directors with technology skills as part of their core skill set. While that report was focused on the impact on digital transformation, it also notes companies surveyed saw cybersecurity and cyberattacks as the top technology risks for organisations, well ahead of second placed data governance, at 49 percent. The lack of digital skills, the Governance Institute of Australia says, is leaving directors ill equipped to probe digital strategy and feeling uneasy, and risk averse, on big issues such as cyber security, which can stifle innovation.
Globally, 42 percent of the CISOs surveyed by executive search company Heidrick & Struggles said they had neither advisory or corporate board experience, and just two percent said they had corporate board experience, while 43 percent said they had advisory board experience.
“In the future, we expect more companies to consider adding CISOs to their boards,” the report helpfully adds.
But the CISO does at least have visibility to the board, with 88 percent reporting to either the full board or a committee – primarily committees for the APAC respondents.
At the end of the day though, board member or not, it’s the CISO who shoulders the responsibility for cyber security – and that’s weighting heavily on many.
Unsurprisingly, ransomware attacks top the list of most the significant threats the CISOs say their companies are facing, at 67 percent. Insider threats (32 percent), nation/state attacks (31 percent) and malware attacks (21 percent) are also causing concern.
The five functions most CISOs say report to them have remained the same year over year: Security operations; governance, risk and compliance; penetrations testing; security architecture and product or application security.
The strong presence of application/product security as a regular part of the CISOs mandate was a new development in 2021 and has maintained priority this year.
“Those areas of responsibility are aligned with the most significant threats CISOs say their companies are facing,” Heidrick & Struggles says.
“We are seeing cybersecurity becoming more and more embedded in core software development and business processes, with the most sophisticated cyber programs getting ahead of threats and taking a ‘security by design’ approach across the board.”
It’s not just the threats themselves that are keeping CISOs up at night. Talent shortages, increasingly sophisticated threat landscapes and uncertainty over their organisation’s support see large volumes of the CISOs reporting job-related stress.
For Asia Pacific CISOs, the threat of a job loss as a result of a breach is proving more stressful than it is for global counterparts, with 33 percent flagging it as a one of the most significant personal risks relating to the role, versus just 16 percent in Europe and 28 percent in the Americas.
Perhaps indicative of a less mature market when it comes to security and less ability to command executive-level protections such as insurance coverage, concern over personal financial accountability for a breach was also high in APAC, at 33 percent – well ahead of the 10 percent in the Americas and 11 percent in Europe. Feeling like their organisation doesn’t see the necessity of cybersecurity protocols (22 percent versus the global average of 13 percent), and feeling underpaid (33 percent versus 21 percent globally) also feature.
That’s undoubtedly driving the high stress for APAC CISOs – at 56 percent they’re just behind the Americas’ 60 percent and the global average of 59 percent. Burnout, which figured high globally at 48 percent, wasn’t such a factor for APAC CISOs at 33 percent.
Perhaps surprisingly, no Asia Pacific CISOs said feeling unsure of their ability to keep up with rapidly evolving threats was a concern. In the US that concern about keeping up with threats was significant for 18 percent, while in Europe it was expressed by 23 percent of respondents.
And that career path conundrum?
The report shows that while most come from IT backgrounds, those with other backgrounds – notably software engineering (which accounted for 10 percent of those surveyed) are making their presence felt. Those from finance backgrounds (two percent) are also slowly gaining a foothold.
Thirty-three percent of APAC CISOs surveyed are keen to be the CIO (vs 10 percent in the Americas and 18 percent in Europe), or chief security officers (physical and information security).
That could be good news for local CISOs, 33 percent of whom say they currently report to the CIO – the very role they’re interested in.
None were eyeing up the CEO role locally, and equally none expressed interest in being a developer of new tools at a security firm.