The theme of this year’s survey of chief information security officers (CISOs) is “more.” More risk, more opportunity, more compensation. Even in the context of a cooling hiring market, the role of the CISO is maturing along with the function as organizations’ technological needs and risks advance, bringing greater emphasis on cybersecurity. Organizations and leaders must look to the future of the function, ensuring success and continued organizational sustainability with a robust succession plan, expanded cybersecurity expertise and leadership development, and competitive compensation packages.
Respondents this year cited a number of ongoing threats to organizational cybersecurity—risks both personal and organizational, including advancements in artificial intelligence and machine learning, geopolitical risks, and cyberattacks, which include nation/state attacks. “It feels as if cybersecurity threats, both criminal and state-sponsored, [will] continue evolving at a rapid pace that’s often unpredictable or surprising,” wrote one respondent.
“Systemic risk will increase due to widescale dependence on a few providers,” said another. And, said a third: “[There is risk in] less owned infrastructure and more cloud-native assets. Also, skills don’t scale from old to new.”
We believe that this expertise is more and more crucial not only within organizations and executive teams but on boards as well. However, where there is a need for expertise there is inherent risk—talent risk. A notable 41% of respondents said their company does not have a succession plan in place for the CISO role. Organizations must ensure that they are prepared for the future in the case of a CISO’s unexpected departure.
In 2023, the share of CISOs who sit on a corporate board more than doubled, but still remains relatively low, and other Heidrick & Struggles research shows that the addition of board members with cybersecurity skills remains low as well. In the United States, new Securities and Exchange Commission (SEC) guidance may soon ask public companies to disclose which board members, if any, have cybersecurity experience, thus elevating the role even further. That said, the topic of who is qualified to be a cyber expert on a board remains complex.
We believe that this expertise is more and more crucial not only within organizations and executive teams but on boards as well. However, where there is a need for expertise there is inherent risk—talent risk. A notable 41% of respondents said their company does not have a succession plan in place for the CISO role. Organizations must ensure that they are prepared for the future in the case of a CISO’s unexpected departure. As in prior years, the majority of respondents were men, and, in the United States, the majority were also white. Heidrick & Struggles’ experience recruiting CISOs so far in 2023 reflects an increasing need for diverse talent. Heidrick & Struggles is proud to share that non-white executives account for 46% of our cybersecurity search placements. 1 We are seeing companies increasingly think outside the traditional industry- and IT-specific criteria for CISOs to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise.
