Chief information security officers, or CISOs as they are commonly known, are unsurprisingly dominated by men taking up the role; on average however, they seem to be younger than other senior business leaders, with 73% under the age of 45. Furthermore, 42% of female CISOs are under 35 years old; something that is quite surprising, but also encouraging.

This is per a new whitepaper, Global Snapshot: The CISO in 2020, released by Marlin Hawk, which studies internal and qualitative research across 500 CISO (or equivalent) executives employed at businesses with 500 or more employees. This includes 50 businesses each in Hong Kong and Singapore.

What do CISOs do?

At present, the primary KPI for the modern CISO is attacks prevented (33%). The majority of CISOs globally agree with this (77%), which makes sense, given that evolving threats remain the number one concern for them. However, respondents claim to only spend 50% of their time actively defending their businesses, while the rest of the time is split among other related responsibilities.

Globally, finding new technologies (40%) and people management (25%) take up the most time. In the UK, people management jumps up to 40% – compared with 33% in the US, and 9% in APAC. Given the demand for technology and cybersecurity talent globally, UK CISOs may be concerned that the lure of working on the US’s West Coast – a market where salaries are typically higher – may attract their best talent. Therefore they may be working hard to ensure they keep their best people.

The lack of time spent on people management is indicative of the evolving role of the CISO and further proof that, in terms of business leadership, the role is somewhat ill-defined.

Which business unit do CISOs come from?

Interestingly, despite a CISO’s role being so closely linked to risk and compliance, only 14% of those who have not always worked in information security come from this area of the business. It’s particularly low in the US (6%) but is slightly higher in the UK & Ireland at 17%.

However, in APAC, a third (33%) of CISOs come from a risk and/or compliance role. This may be for a number of reasons, including a more limited talent pool, and a focus on regulated businesses where risk management is paramount.

Do CISOs move across industries?

Just under a third (29%) of all CISOs have moved across industries. It’s particularly prevalent in the UK and Ireland, as 37% of CISOs have moved across industry, compared to 18% in the US, and 16% in APAC. This may be due to a number of factors. For example, in the UK, having a CompSci degree is less desirable than in other markets.

Given that businesses are looking for CISOs with diverse qualifications, it makes sense that these same businesses would welcome CISOs that have different professional backgrounds.

Photo / 123RF