January 13, 2020//Tony Howlett
Chief information security officer, or CISO for short—it’s a very popular title lately, being added to C-suites at companies of all sizes. It seems corporate boards feel a company isn’t considered serious if it doesn’t have a CISO or similarly titled executive in board meetings. And due to their popularity, they are not cheap positions to fill. According to Salary.com, the average base salary for a CISO runs $168,000 to $287,000 per year. And yet, a survey by Bitglass showed that 38% of the Fortune 500 did not have a named CISO.
Company size alone may not indicate when it’s appropriate to add a CISO to your executive team. Other factors come into play, including regulatory requirements, industry, geography and whether there’s a focus on information security as a corporate priority.
The most important factor as to whether a company has a CISO seems to be how regulated their industry is. In fact, many compliance regulations require having a named officer in charge of security, privacy or related matters. The FDIC and OCC, major regulators of the finance sector, both highly recommend in their guidance documents having an owner at the executive level for security functions. The GDPR (the sweeping EU privacy regulation) and CCPA (a similar law covering California residents) require officers managing the privacy of their customer’s data. Health care, gaming, legal, transportation, energy and many sectors of manufacturing also require various levels of executive involvement in information security.
When a company is highly regulated, the size really doesn’t matter. Even the smallest community bank will generally have an information security officer, though sometimes these roles have a dual responsibility. Even if your industry regulations don’t specifically require a CISO position, you may want a CISO just to coordinate the large amount of security and compliance reporting at the management and board level. However, in compliance-focused industries, it is not generally recommended that CISOs report up through IT or operational lines. You don’t want the person checking the security of your corporate infrastructure to be the same person building that infrastructure.
The industry also takes a larger role than size when it comes to needing a CISO. Certain industries seem to be more security-focused than others, which might be due to the regulatory concerns listed above, the value of trade secrets and IP, public safety or other considerations. For example, the transportation industry has the highest rate of CISO positions overall. This seems obvious when you consider we don’t want hackers inside our self-driving cars or accessing airliner flight systems. Technology companies also seem to have a higher number of CISOs, especially in the security sector, since their work is more likely to have digital and online outputs. The same study by Bitglass found the hospitality industry has the lowest level of security officer positions. And, possibly not unrelated, that industry has been the target of a number of high-profile, large breaches, with both the Hilton and Marriott chains suffering multi-million record breaches in the last few years.
Geography also has a bit to do with whether a company has a CISO. Midsized companies in the European Union are more likely to have appointed a security officer due to the GDPR regulation, which affects every size of a company in the EU. Companies located in the United States and other first-world countries also have a higher rate of CISO penetration of the C-suite compared to those in less developed countries. Hackers are generally after the richer, more established companies, and where more of a premium is placed on information security.
Forward-thinking board of directors, even at midsized companies, are adding CISOs. This isn’t always just because of regulations or significant IP to protect, but because threats to company security are being seen as existential threats more than ever before. The near-total reliance on the internet and IT services at most companies means that having secure and available information services is as essential as having functional sales, marketing, and accurate financial reporting. Indeed, with the increasing use of external SaaS services for those functions, the security and availability of those services must be there for the other departments to do their jobs properly.
So there are many reasons that a midsized company may decide to add a CISO to its management team. Above the smallest companies, it seems that size does not have as much to do with it as the company’s industry, the amount of compliance and regulation it faces, location and an increasing belief among boards and top company leaders that information security and privacy is a core business function worthy of C-level responsibility and management.