Threat Trends | 5 mins
In 2024, it’s time to create your CISO superhero
The job of a chief information security officer (CISO) seems to be getting harder and harder. Alongside everyday challenges around shifting legal and compliance requirements, 2023 was full of high-profile incidents that emphasized just how difficult the job can be.
Last year, for instance, the former CISO of Uber, Joe Sullivan, was sentenced to serve three years’ probation and pay a $50,000 fine after failing to disclose a data breach and paying the hackers to remain silent. Then in October, Tim Brown, SolarWinds CISO, was charged by the US Securities and Exchange Commission (SEC) with fraud and internal control failures. He could be barred from all future officer and director positions, which may result in serious career and reputational damage.
In addition to these headline-making events, CISOs also had to remain aware of new regulatory developments. The SEC issued new cybersecurity rules around mandatory incident disclosure and risk management strategies. Similarly, across the European Union, the new NIS2 Directive expands the legal considerations that CISOs have to be cognizant of.
However, although some CISOs are struggling with these new regulatory shifts (41% of enterprise cybersecurity professionals cite the overwhelming workload as the most stressful aspect of their roles), there remains reason for optimism as we look ahead to 2024. The stresses and challenges that CISOs have been burdened with in recent times are likely to precipitate a shift within the industry that will create a more fulfilling, enjoyable role for cybersecurity personnel and a safer industry generally.
Here are the reasons why we believe 2024 could be the most exciting year yet for CISOs.
A CISO Shortage
Given there is a growing body of research indicating that many CISOs are under unsustainable levels of stress, it’s expected that recruiters may find it increasingly difficult to fill CISO roles. The cybersecurity skills gap, more generally, will make it difficult to promote from within too, with 71% of organizations admitting that the cybersecurity skills shortage has already impacted them.
To address the CISO shortage, teams are likely to take a two-fold approach - both human and technological. Regarding the former, greater investment in training is likely to ensure that current CISOs are aware of new developments and that the necessary skills are continuously refreshed for the next cohort of CISOs. In terms of technological developments, automation is set to play a larger role in many cybersecurity strategies, lessening the demand for resources. The next generation of CISOs will likely need a solid grasp of these cutting-edge tools to stand out in an increasingly competitive market.
A Salary Increase
The good news is that as shortages for CISOs begin to bite, organizations will look to increase their salary offers to attract the best candidates. According to the 2023 CISO Compensation Benchmark Study, CISO salaries were up 11% last year, driven in part by a growing awareness of the importance of cybersecurity. The job demands and risks, including legal penalties, mean that CISOs should expect to receive generous increases to their base pay, as well as various perks, and bonuses.
While financial matters are not the only consideration when CISOs are looking at job roles - culture and purpose are key too, of course - remuneration is important for both retention and recruitment. In 2024, this is only likely to become more critical as businesses realize the extent of the CISO skills shortage in the job market. Efforts to alleviate some of the stresses that CISOs are currently under will also help to make positions more attractive to candidates.
Spotlight on CISOs
Although pay will broadly increase, there is likely to be greater scrutiny of the performances of CISOs and whether they merit the financial benefits on offer. The recent high-profile CISO failings mentioned above will serve as proof that CISO accomplishments must be examined carefully. Even where salaries or bonuses are tied to cybersecurity performance, it is important that CISOs disclose breaches as soon as possible. Any attempt by CISOs to hide security incidents in order to strengthen their pay packets will only lead to greater reputation damage further down the line - for the individual and organization.
Accountability is only likely to become more important to the CISO role, resulting in a slight shift in the values that are viewed as the most important for businesses. Transparency and communication will be heavily prized among recruiters as they look for their next CISO. And this shift will be seen more broadly across cybersecurity teams. Accountability must be driven by leaders, stressing the connection between cybersecurity strategies and business risk. Here, automation will also help, making it clearer for CISOs to see if security KPIs are being met across the entire attack surface.
A Direct CEO Connection
In the year ahead, you will see a closer connection between the boardroom and cybersecurity teams - and this will mean more CISOs reporting directly to the CEO. There will be a realization that cybersecurity can no longer be viewed as a separate function but one that is intrinsically linked to overall business outcomes. As such, CISOs will transition from reporting to IT leaders (49% still feedback to a CIO or other senior IT personnel) to the CEO.
In order to drive the change they want to see within an organization, especially to meet the inevitable regulatory changes on the horizon, CISOs will push for a closer connection to their CEOs. They will work together to align cybersecurity strategies and business goals, creating a security community stretching from the board level down, where policies receive input from all relevant stakeholders.
Greater CISO Demands
The increasing importance of the CISO position will be reflected in the fact that individuals have the confidence to demand more from their employers. These demands will largely revolve around more robust cybersecurity policies. Moving forward, CISOs are unlikely to be satisfied with security box-ticking. After all, recent events have demonstrated that they may ultimately be held responsible for cybersecurity failings.
A world of increasing CISO demands will see officers push for concrete, proactive initiatives, including penetration testing, red teaming, incident response retainers, greater automation, and cyber insurance coverage. CISOs will scrutinize more parts of a company’s security posture, so they aren’t ultimately (and legally) left responsible for defense breachers that they have little to do with.
The Future of the CISO Role
Predictions are always fraught with difficulties but one thing is certain: the CISO role will not remain unchanged in 2024. We will see CISOs collaborating to a greater extent with board members, under greater scrutiny than ever, and demanding more in terms of their pay and technological resources.
At Hadrian, we understand the stresses that CISOs and other cybersecurity personnel are under - and we understand the efforts that hackers continue to make to increase these stresses. The 24x7x365 offensive security analysis that underpins our platform is ideal for the CISO of the future. It helps discover, prioritize, and remediate threats faster - so your CISO’s demands are met, without increasing the manual burden on your security team.