During the last year, we did a lot of thinking about the role of the CISO, including a major survey we posted. As we embark on our next round of research I wanted to share a summary of how we see the Chief Security Officer role evolving. See below:

CISO Role Today CISO+ Role in Future
CISO’s Background
  • CISOs come from varied backgrounds
  • Often inherited the role
  • Moved up through the IT or business ranks
  • Some are hired from outside to create public perception
  • Proven track record to lead during a crisis
  • Knows how to take risks
  • Ability to manage & communicate clearly and concisely to upper management / Board
  • Heavy on business skills  / Lighter on technical skills
Reporting Line
  • CISOs typically reports to CIO; typically a layer in between CISO and CIO
  • Some CISOs report to COO
  • CISO+ reports directly to CIO
  • Have  responsibility for; Strategy, Policy, Ops, Compliance, Crisis Management
Level of Authority
  • Not always viewed as a key decision maker
  • Seldom an actual executive role
  • Often tactical and reactive
  • Transformational leader
  • Sr. level executive
  • Combined role of IT Risk Officer & CISO
  • Responsible for Initiatives & Ops
  • Strategic & pro-active
Areas of spend / Budget responsibility
  • Majority of budget directed at maintenance projects to keep current initiatives running
  • Other spending on pro-active initiatives and reactive projects
  • Majority of budget spending will be on transformational initiatives
  • Budgets should be a percent of the Enterprise budget since all functional groups have security requirements
Scroll to view full table

What do you think?  Do you agree with the role today and how it will evolve to a strategic role in the future?

As I mentioned, the IBM Client Insights team will be completing our second CISO survey soon. We’ll incorporate your comments in to that work!

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…