Thank you for participating in our recent survey. As a reminder, we surveyed over 1,000 security leaders in the US and Europe to gather insights on where security is heading in 2023 from both a talent and thematic perspective. We hope our research findings are helpful to you, your organization, and your fellow security leaders as you plan the year ahead.
How often do you report to your Board of Directors?
- Over 90% of respondents report to their board at least once a year, with 77% having face time each quarter. This significant shift has been in motion for the last few years and our survey results confirm its continuation.
- There are still around 7% of respondents who never get in front of their board, but I imagine this number will continue to shrink with the regulatory changes led by the SEC.
- Why this matters: Board-level communication is now table stakes for any CISO, even if it takes some time for regulatory implications to take full effect. If you’re a security executive who does not regularly spend time in front of your board, you should advocate for that change immediately, both for yourself and your business. As the board’s security awareness heightens, you will be under the microscope more regularly and will also have a louder voice in influencing the security posture of your company. The bottom line — a direct line of communication between the CISO and the board increases security awareness and strengthens a security executive’s impact on the business. In contrast, a game of “executive telephone” increases risk and slows the progression of securing the company.
How do you see your company’s investment in security changing in 2023?
- The noise around budget increases for security teams remains a bit muted, even with the increased press and visibility surrounding breaches and other events. In fact, the expectations for budget increases are 10% lower than they were 2 years ago.
- 1 in 4 CISOs expect no increase in budget this year, while only 4% expect to see a drastic increase (defined as a 40% increase) in the budget this year.
- While this lack of increased budget expectations is concerning at face value, it’s worth noting that security tools and technologies, as well as the use of automation, have made operating a mature security program on a tighter budget more possible than ever.
- Why this matters: While economic uncertainty likely contributes to low expectations for budget increases, security teams are used to operating with tight budgets. Whether through automation, cross-training, or offshore resources, efficiency is core to most security leaders. The fallout here is that tighter budgets generally mean lower headcount, which slows the growth of security professionals, and, therefore the developing bench of future CISOs. The current state won’t be impacted much due to CISOs’ thrifty nature, but the future state implications shouldn’t be underestimated.
In which area do you plan to invest the most new resources or budget in 2023?
- Automation-focused technologies remain the top priority for budget use in 2023.
- A positive trend for 2023 is the increased focus on investing in “Overall Talent.” This should include not only hiring and expanding security teams but also investing in the development of existing talent. 13% more CISOs plan to invest in overall talent as their top priority for 2023 than in years past, and that should be music to everyone’s ears.
- As more companies explore bringing in CISOs at earlier stages, this investment in talent and building a deeper bench will be critical, as there are not enough qualified senior security leaders today to meet market needs.
- Why this matters:The focus on automation will be a long-term budget saver. Conversely, talent is the second-highest response, and talent is expensive. Be thoughtful about how you budget these two priorities. Don’t let the implied ease of one option (automation) and the expense of the other (talent acquisition) deter you from developing your teams. Even if the headcount can’t grow, leverage that budget in other ways to uplevel your team.
Which security theme or focus area will be/remain the most important for your team and company in 2023?
- As expected, the responses to this open-ended question varied with company/industry specifics. The four themes that came up most often were Identity, Cloud Security, Talent/Security Leadership, and State Actors.
- Cloud security was one of the hottest topics in our last survey as well, which makes sense given the broad impact of the initiative. While the other top responses all have far-reaching impacts and require compliance and buy-in from multiple stakeholders, cloud security is an initiative influenced by almost every function within a company. With more companies committing to cloud-first initiatives and transformation, CISOs have a huge opportunity to advance the maturity of their security program, but commitment and buy-in from the company and key executives are crucial.
- One of the more interesting answers we received, in various forms, was the idea of going “back to basics.” This is not unique to the security community, but in ‘unprecedented’ times of uncertainty, there is no better time to focus on the foundational areas of your security program and ensure you’re prepared to scale when market stability returns.
- Other focus areas included data security, vulnerability management, SOAR, tools consolidations, zero trust, and OT/Supply chain security.
- Why this matters: Companies continue to undergo massive transformation efforts, and identity and cloud security are at the core of this transformation. Companies that invest in these areas will continue to be one step ahead of competitors.
What is the biggest threat facing the security industry in 2023?
- The responses here fall almost completely in line with the focus areas above. (It would be concerning if they didn’t.) The top responses were Identity, Shortage of Skilled Talent, Ransomware, and Data Security.
- Another common response worth highlighting is the impact of the relationship between product development and security. The opportunity for security teams comes from the increasingly complex product development, data, and infrastructure environments. As the role of the CISO continues to expand, specifically in enterprise technology companies, the importance of the partnership between product and security has reached new heights. With that, security executives need to have a depth of product sense, ownership over product security, or a strong deputy with product experience.
- My personal favorite response to this question: “Overzealous sales & marketing,” which, if you’ve spent enough time on LinkedIn, you understand why this topic is on many CISOs’ minds!
- Why this matters: These will be the biggest opportunities for innovation moving forward, and likely the reason there will be a shift for growth stage, private companies adding true CISOs earlier in the company lifecycle . Security executives are sharing what they view as the biggest threat(s) to their company, and that will shape much of where companies spend their money and the new products that come to market. If your company is in the security space and you’re not focused on solving for one of these threats, you are missing a massive opportunity.
The role of the CISO has been expanding for the last decade (or more). Most recently, we’ve seen an increase in the role’s remit. In your opinion, which of these traditionally non-CISO reports will or should report into the CISO in some capacity? Select all that apply.
- To me, this is the most interesting and important question on this survey. As companies look for ways to improve their security posture, there is no way around security being intertwined with every part of their business. It’s become clear to many CEOs that the best way to maximize a CISO’s efforts and influence is to expand their remit.
- Most CISO searches I conduct have at least one of the following functions in their organization beyond security, and most have multiple. The most common is privacy and IT, which are reflected below.
- Why this matters: The most intriguing trends are data and product, though the latter is less far-reaching. Data is particularly compelling because it points to the possibility of the CISO role leap-frogging the CIO in the near future. For as long as I can remember, CISOs have most frequently reported into their CIO. However, given the growing emphasis on security paired with the familiarity with both IT and data, CISOs are the obvious choice to oversee those functions in the not-so-distant future.
Given the shifting nature of CISO roles and the additional pressures/liabilities that come with the position (Uber situation, for example), how positive are you on the future of a career in cybersecurity leadership?
- I’m not a CISO, but I’ve spent enough time with CISOs over the years to know they don’t run away from big, hairy, scary problems. I knew when I included this question that most respondents would still have a positive outlook on the profession. In fact, I was slightly surprised that over 7% of respondents flat-out said their opinion was no longer positive, given the opportunity and growth outlined above—though, with articles like this from The Information, I understand the shifting sentiment.
- The precedent set in the Uber case involving Joe Sullivan rattled the industry, and I’ve seen a growing number of security leaders asking for the inclusion of (or at least clarity around) company D&O insurance policies.
- Why this matters: One of, if not the most, consistent theme of this survey is the lacking development of a security talent bench. This is a question I will be tracking more closely over the coming years. If the ~8% who no longer have a positive viewpoint of a career in security increases, then there is cause for concern. I believe the unprecedented situations presented in the last two years will be standardized and won’t be an issue in the near future, but who’s to say some other nuance doesn’t present itself? At the end of the day, CISOs don’t get into this line of work because of its simple and straightforward nature.
How does the return to the office impact the security team at your company?
- Almost 77% of respondents do not see a return to office impacting security teams, which was not surprising to me. Even before the pandemic, security teams were ahead of the curve in the spread of talent throughout the US and the rest of the world, for that matter.
- That said, many of the more technically inclined teams are seeing a higher return to HQ or specific hubs, so I was a bit surprised by the overwhelming majority response here. Only 4% of respondents were concerned about losing out on talent due to the return.
- I believe you will see less flexibility around where CISOs and security leadership sit in the coming years. As the role gets closer and closer to the CEO, top executives will urge CISOs to be at HQ.
- Why this matters: I don’t see this changing, even if the role of CISO becomes more closely paired with company headquarters locations. Unlike other technical functions, security teams can be equally successful in remote locations, with few exceptions, and in those cases, having specific hubs usually solves the issue. Security teams will continue to benefit from the thesis of “hiring the best people, no matter where they are.”
Which one of these security functions/skills will be top priority for your recruiting efforts in 2023?
- The top three focus areas for hiring this year will be Incident Response, Security Engineering/Architecture, and GRC functions.
- These functions are usually the highest demand and most competitive talent pools. Progress has been made on the depth of talent on the security engineering side, but in my opinion, it still has a long way to go to catch up to demand.
- As technology companies continue to invest in security programs and the field’s growth opportunities skyrocket, you’re seeing more traditional engineers switch to security. I believe this will be the key to producing a viable bench of future CISOs, and the more cross-training and internal hiring CISOs do for their teams, the better the function will be 5-10 years from now.
- Why this matters: The narrative is that hiring will be slower in 2023, but that doesn’t change the fact that these are people-heavy security functions that remain a top priority. This year will present a significant opportunity for companies to cross-train or repurpose roles they may have otherwise eliminated and instead deploy high-potential employees into new, burgeoning security roles and areas of specialization.
Identity Data: Gender and Ethnic Diversity Across Security Leaders
- There remains a great deal of work to do to increase gender and ethnic diversity at the C-levels across technology, and security is no exception. Our results for females in CISO roles came back slightly below the F500’s data of 17%. As for ethnic diversity, our results showed 23% of CISOs are from underrepresented groups, compared to closer to 28% for the broader F500. The data clearly illustrates the massive lack of gender and ethnic diversity across senior security leaders.
- Groups like Women in Cyber Security (WiCyS) and Cyverstity, among others, are doing fantastic work to prepare future security leaders and bring awareness to issues of representation, but the shift will take time, diligence, and effort. But, in my experience, one of the strengths of the CISO community is that they rally around each other, so my hope and belief is we’ll see much more gender and ethnic diversity in top security roles in the coming years.
- SPMB recently spent time with Ada’s CTO, Jessica Popp, and discussed how to strategically build and develop a diverse hiring strategy. Check out both Part ONE and TWO of our client spotlight Q&A.
- Why this matters: Diversity at the executive level has yielded better business outcomes, both culturally and financially. While the feeder functions into security (IT, for example) have not always been a glowing example of diversity, there are concerted efforts to change that. I believe the CISO community will, and in many cases already has, rallied around efforts to bring more diversity to the function. It’s something that I personally take very seriously; in fact, 57% of my CISO placements over the last three years have been under-represented individuals.
What best describes your current role?
- Without question, most CISOs reside at public companies, and rightfully so. In 2023 you will see the pre-IPO and private companies continue to grow their share of this pie. More and more early-stage companies are strategically investing in a true security executive.
Where do you report?
- This may be one of the most heartening results in the entire survey. Since I began working in security, the consensus has always been that this role should report to the CEO. For many years, I didn’t see much movement, but 23% of the respondents here report directly to the CEO, and my daily conversations with companies tell me this number will continue to rise.
- Why this matters: By elevating CISOs to a true “seat at the table” role, you’re telling customers, employees, and partners that you are doing everything you can to protect their interests. That is a strong message to send in a fairly simple way.
How is your compensation structured?
How has your compensation changed over the last 2 years?
- In line with many executives in the past two years, the vast majority of CISOs saw their annual compensation increase anywhere from 5% to over 15%, and only 15% saw their compensation stay flat over this time period.
- There are many factors at play. Coming out of the pandemic, companies needed to ensure they had secure remote/hybrid work options for their employees. Public, seemingly constant news about breaches has become unavoidable for boards and executive committees, which increases the importance of having a top-tier CISO leading the fight. And an overall increase in the number of CISO opportunities have driven up the price of what’s a limited pool of qualified executives.
How do you think security executives’ compensation will change over the next 3 years?
- This was incredibly interesting to me. While over 57% of CISO respondents saw increases of at least 5%, and many well over that in the past two years, only 19% see significant increases coming for CISOs in the next 3 years. Most have the function growing in line with industry trends and the economy, which, to be fair, makes sense.
- The shocking part to me is that most CISOs have seen increases the past two years, and they agree that budgets will continue to expand along with the evolution and rise of the role’s responsibility and influence. However, they don’t believe compensation will continue to rise at an equal or greater level. Why is this? That’s a question I’ll be digging into further later this year. Stay tuned!
- Why this matters: For as long as I’ve been working on CISO searches, compensation has been the hardest thing on which to advise. Companies’ compensation for top security leaders has been inconsistent to say the least. The evolution of the role has led to some stability, though, and with that, more consistency in market compensation. I see that continuing for the next couple of years, which aligns with the varied responses below.
Thank you to all the survey respondents for making this project possible and allowing me to capture this industry data year-over-year. As always, if we can help you take advantage of the current market conditions to expand or upgrade your leadership team, please reach out to me