Research reveals CISOs are being asked to do more with less while incurring more personal legal risk; CISO job satisfaction decreased in the last year, with 75% considering an employment change.
Boston, MA – January 17, 2024 – Today, IANS Research and Artico Search released its State of the CISO 2023-2024 Report, an annual research study that provides deep insights into critical aspects of the CISO role based on background, job level, compensation,
budget dynamics, board engagement, and job satisfaction data. This year, more than 660 Chief Information Security Officers (CISOs) provided data. Additionally, research team members held conversations with over 100 CISOs to better understand
the challenges CISOs face today and future opportunities.
At the outset of 2024, CISOs are experiencing a duality of anxiety and opportunity, which is attributed to reduced cybersecurity spending, increasing cyber breaches, the rise of generative AI tools, and stricter cybersecurity rules emphasizing
disclosure requirements. In this context, key report findings include:
Traditional CISO role characteristics may no longer meet the needs in this rapidly evolving landscape. This situation gives CISOs an unprecedented opportunity to argue for a place in the executive ranks. Furthermore, the increased threat
environment organizations face gives CISOs more ammunition to influence leaders outside their direct sphere of control.
Regulators now hold CISOs accountable for transparency and even fraud on behalf of their organizations. Despite the role expectations being elevated to C-Level, CISOs struggle to be viewed as such, and the CISO role is frequently not part
of the senior leadership team. Only 20% of all CISOs and 15% of public company CISOs are regarded as C-Level executives, and just 50% engage with the Board quarterly. CISOs with Board access are more optimistic about budget and risk
alignment. Only 28% without Board engagement are satisfied versus 57% with at least infrequent or ad hoc Board contact.
CISOs seek clear risk guidance from boards but often don’t find it. 85% of CISOs in the survey indicated their board should offer clear guidance on their organization’s risk tolerance for the CISO to act on. However, just 36%
find that this is the case.
A seat at the table calls for increased business skills. Most CISOs build their leadership skills through executive coaching and formal leadership training; the total compensation of CISOs currently in/completed an executive coaching program
exceeds those who haven’t done a leadership skill development program by more than $200,000. Only 20% of CISOs receive internal mentoring from non-tech colleagues.
Technology skills dominate CISOs' formative years. In the years leading up to the top job, the two dominant career paths are a technical path and a risk and compliance path, although some CISOs have crossed over during their formative
years. CISOs with a tech background earn more than risk/compliance CISOs.
Most CISOs are considering a job change. This year’s satisfaction ratings suggested heightened anxiety among CISOs. Between 2022 and 2023, the share of CISOs who are satisfied in their job and company fell by 10 points to 64%. Meanwhile,
the share open to a job change increased by 8 points to 75%.
"We see CISO satisfaction positively correlated with access and influence at the board level,” stated Steve Martano, a partner in Artico Search’s cybersecurity practice and IANS Faculty member, “CISOs with a strong rapport with
their boards feel more valued and generally report they are ‘heard’, even when there are disagreements on budgeting.”
For more insights, please download the
full summary report.
Survey Methodology
IANS and Artico Search fielded its annual CISO Compensation and Budget survey in April 2023. This year, they expanded the survey to include a dedicated set of questions for staff, including analysts, architects, engineers, managers, experts, and functional
leaders. From April until August, they received survey responses from 663 CISOs and 532 staff from companies that varied by size, location, and industry.
The organizations combined the data from both groups to determine the decisions made for the security organizations at small and midsize companies (with annual revenues of between $50 million and $400 million), large enterprises (with an annual revenue
ranging between $400 million and $6 billion), and very large and global enterprises (with annual revenues exceeding $6 billion).
Artico Search
Founded in 2021, Artico Search’s team of executive recruiters focuses on a “grow and protect” model, recruiting senior go-to-market and security executives in growth venture, private equity, and public companies. Artico’s dedicated
security practice delivers CISOs and other senior-level information security professionals for a diverse set of clients.
For the security practitioner caught between rapidly evolving threats and demanding executives, IANS is a trusted resource to help CISOs and their teams make decisions and articulate risk. IANS provides experience-based insights from a network of
seasoned practitioners through Ask-an-Expert inquiries, a peer community, deployment-focused reports, tools and templates, and executive development and consulting.