CISO job elevation stalls despite increase in attacks and security budgets

An overwhelming number of CIOs are expecting an increase in their budgets specific to security to tackle the growing cyber threat, according to the 2019 CIO 100.

Continuing the trend of recent years, the 2019 edition of the CIO 100 found that growth in security budgets has occurred in line with the increasing number of cyber attacks. Yet in contrast to the 2018 CIO 100, the number of CISOs reported as being peers of the CIO hasn’t increased, despite the growth in budgets and attacks.

Security spending continues to grow

The security threat continues to escalate and challenges around ensuring organisations are secure remain, with 59% of companies reporting that they had detected a cyber intrusion in the last 12 months, up from 56% in 2018.

The spectre of GDPR had been a driving factor for increasing security budgets through 2017 and 2018, but the regular slew of security incidents in the headlines, alongside very public and costly attacks on the likes of British Airways, Norsk Hydro, and the City of Baltimore has convinced boards to keep increasing spending. Some 83% of the organisations in the 2019 CIO 100 are expecting an increase in budgets specific to security to tackle the growing cyber threat. This figure was 81% and 82% in 2018 and 2017 respectively.

Where do CISOs sit in the business?

Despite this increase in budgets and number of successful attacks, the CISO’s standing within their organisations has stalled somewhat – at least according to those represented in the CIO 100. Only 12% of CIOs surveyed in the 2019 CIO 100 said that the CISO is a peer to the CIO at their organisation.

In 2018 the number of CISOs that were peers to the CIO was 16%, a significant increase from the 5% of 2017 respondents. Some 8% of CIOs responded explicitly that they were the CISO, a small increase on the 2018 CIO 100 survey.

Still the most common organisational setup is to have the CISO or equivalent reporting into the CIO function; 65% of companies have a CISO or equivalent reporting to CIO or have information security leadership covered by a member of CIO’s department, in line with the 2018 figures. CFO reporting lines accounted for 2% of CISOs, while another 2% report to a different function within the business.

Some 2% of respondents were recruiting for a CISO, while 4% of companies were outsourcing the role to a ‘virtual’ CISO, ‘CISO-as-a-Service’, or other third-party organisation, which is double the 2018 figure.

‘New era for the CISO’

Just 4% of the CIO 100 responded that they have no CISO or equivalent role at their organisation, while one CIO responded that it was a responsibility of their whole team.

Despite these results, industry CISOs are confident about the future of the role. “The technical CISO, the cyber individual who’s hidden away in a dark room, those days have gone,” says Mark Parr, CISO at KPMG UK. “The role of the CISO is much more about helping the business and its people operate effectively and securely.

“This is a new era for the CSO, it’s fairly new appointment that for a long time it was deemed just to be an IT or technology role, but actually, the reason I took this role is it’s very much a senior leader in the organisation that is there to represent at that senior level.”