Chief Information Security Officers


To understand how the role of chief information security officers (CISOs) has changed over the last few years in terms of how common the role is (e.g., number of companies), the responsibilities involved, and the experience needed.

Early Findings

  • Companies are “re-defining the roles and responsibilities of CISOs by expanding job criteria to include organizational leadership, business management, and other traditional “soft” skills.”
  • The major change is that the role of CISO is no longer designed to just focus on network security (e.g., traditional security, privacy, and compliance issues) but the soft skill of leadership is highly desired (listed more than twice as often as hard skills).
  • Five cybersecurity CISO priorities for the future include identifying management in a multi-cloud world, protecting assets with encryption and zero trust, the rise of DevSecOps, responding to “alert fatigue”, and educating employees to think like a CISO.
  • Forbes noted that some prominent CISO priorities for 2019 included gaining threat visibility across all platforms, understanding the new perimeter (the cloud and user identifies), nurturing a culture of security, aligning security operations with IT operations, and addressing the risks from inside the firewall.
  • A report that might be of interest, though it is behind a paywall is Fortinet’s “The CISO Ascends From Technologist to Strategic Business Enabler.”
  • In October 2019, it was noted that 38% of Fortune 500 companies did not have a CISO and 77% of the companies make no indication on their websites about who is responsible for their security strategy.

We found some proprietary research from one of our data partners which may be helpful:
  • 1. "Security Advisory Services Market by Service Type (Penetration Testing, Vulnerability Management, Incident Response, Security Risk, Compliance Management, and CISCO Advisory and Support), Organization Size, Vertical, and Region - Global Forecast to 2024" (MarketsandMarkets, $4,950)
  • 2. Section 6.8: Chief Information Security Officer Advisory and Support ($402.50)
If you'd like us to purchase any of these reports on your behalf, just let us know!

Proposed next steps:

You need to be the project owner to select a next step.
The research team is able to continue the research by further identifying characteristics about chief information security officers that include but are not limited to 7-10 insights about how common the role is, the number and type of companies that use them, the responsibilities involved, and the experience needed (basic and preferred).
The research team is also able to assist in researching the role of chief information security officers by looking at how the role has changed over the last few years. We can identify 5-7 trends the have emerged since 2017 and include company examples, and hard data and facts about the role.
The research team can also conduct a media scan to look for 5-7 high-profile chief information security officers and note the companies they worked with, what they noted their concerns/challenges or successes were, and any expert opinions they had about their responsibilities or actions.