June 8, 2013 By Marc van Zadelhoff < 1 min read

During the last year, we did a lot of thinking about the role of the CISO, including a major survey we posted. As we embark on our next round of research I wanted to share a summary of how we see the Chief Security Officer role evolving. See below:

CISO Role Today CISO+ Role in Future
CISO’s Background
  • CISOs come from varied backgrounds
  • Often inherited the role
  • Moved up through the IT or business ranks
  • Some are hired from outside to create public perception
  • Proven track record to lead during a crisis
  • Knows how to take risks
  • Ability to manage & communicate clearly and concisely to upper management / Board
  • Heavy on business skills  / Lighter on technical skills
Reporting Line
  • CISOs typically reports to CIO; typically a layer in between CISO and CIO
  • Some CISOs report to COO
  • CISO+ reports directly to CIO
  • Have  responsibility for; Strategy, Policy, Ops, Compliance, Crisis Management
Level of Authority
  • Not always viewed as a key decision maker
  • Seldom an actual executive role
  • Often tactical and reactive
  • Transformational leader
  • Sr. level executive
  • Combined role of IT Risk Officer & CISO
  • Responsible for Initiatives & Ops
  • Strategic & pro-active
Areas of spend / Budget responsibility
  • Majority of budget directed at maintenance projects to keep current initiatives running
  • Other spending on pro-active initiatives and reactive projects
  • Majority of budget spending will be on transformational initiatives
  • Budgets should be a percent of the Enterprise budget since all functional groups have security requirements
Scroll to view full table

What do you think?  Do you agree with the role today and how it will evolve to a strategic role in the future?

As I mentioned, the IBM Client Insights team will be completing our second CISO survey soon. We’ll incorporate your comments in to that work!

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today