Thank you to all who participated in this year’s survey focused on the key security themes and leadership trends we predict for 2024. We had nearly a 30% increase in responses — by far the most we’ve received in the years we’ve been doing this. We appreciate your insights and continued engagement!
And now to the results…
You can access the raw survey results here or via the link at the bottom of this article.
Below, we’ve expanded on the five major themes that stood out among the 20+ questions surveyed. Our data-driven conclusions touch on the important topics in today’s changing climate, and we hope our findings will be helpful to you, your organization, and the broader security community as you navigate the year ahead.
2024 will see security budgets reach new heights
The cybersecurity landscape is witnessing a significant funding boost, with 76% of CISOs reporting that they expect their organizations will increase security teams’ budgets in 2024. This represents a noticeable uptick from the 68% reported last year, which underscores companies’ growing recognition of cybersecurity not as an area to cut costs, but rather as a strategic investment in the protection of sensitive data and critical systems.
Survey results suggest that these funds will be allocated in a relatively consistent manner. The leading priority for budget allocation continues to be automation, although it decreased slightly from 38% in 2023 to 32% in 2024. Organizations recognize the value of automation in streamlining security processes and responding to threats more efficiently. From my discussions with the CISO community, I believe that the decrease year over year is less about executives deprioritizing automation and more about a percentage of respondents having reached a level of comfort around automation in their organizations.
Furthermore, 27% of CISOs still plan to invest their budgets in talent acquisition, a figure that has remained unchanged YoY. The emphasis on acquiring and up-leveling skilled cybersecurity professionals reflects the ongoing need for expertise in an ever-evolving threat landscape.
Lastly, there is a notable increase in allocating budget to “first-line defense,” rising from 11% in 2023 to 14% in 2024. This suggests that organizations will place more emphasis on strengthening initial defenses and preventing breaches before they occur rather than solely focusing on incident response.
A Recruiter’s Perspective:
During a search, one of the first questions I receive from candidates is about how companies budget for security improvement. Security budgets are generally very fluid, increasing when there is an event, and later deprioritized when a certain maturity level is reached. Historically, CISOs have been chided for using fear as a lever to ensure investment from their boards, sometimes out of necessity. Over the last few years, though, I’ve seen more consistent investment, which is a result of security executives having a more direct relationship with their board (more on that below) and taking a business-minded approach to how they share the results and impact of their security improvement initiatives.
Few companies are ahead of the curve in preparing for risks posed by AI
The adoption of AI is growing rapidly across industries, but with it comes new security and regulatory risks. The majority of CISOs (57%) express confidence that their organizations are making progress in managing AI-related risks, which suggests that many companies are actively working to develop strategies and protocols to mitigate emerging threats.
However, around 14% of CISOs surveyed believe their organizations are “completely unprepared” for the additional security and regulatory risks posed by AI. They recognize that while AI offers significant benefits, it also introduces vulnerabilities and complexities that must be addressed.
A small number of CISOs (11%) believe their organizations are ahead of the curve in mitigating AI risks. This suggests that some organizations have successfully integrated AI into their cybersecurity strategies and are leading the way in adapting to the changing landscape.
Another important data point is that 54% of the surveyed companies already use AI in some form to assist in writing code, while an additional 21% are in the evaluation stage. This suggests a widespread acceptance and adoption of AI within the industry. However, it is crucial for organizations to strike a balance between innovation and security to ensure that AI is leveraged effectively while safeguarding against potential risks.
A Recruiter’s Perspective:
AI was the hottest topic in technology in 2023 and will likely remain so this year. The use cases for AI will continue to grow and present new challenges for security leaders for many years to come, which will elevate security leaders with backgrounds in security engineering, product development, and other more data and product-focused functions. This is not to suggest that GRC-focused security leaders will be displaced, but those with experience closer to that of the groups who leverage AI at the enterprise level will be more valuable to their companies.
This finding is validated further when you look at how CEOs view the growing use cases for AI in their business, along with the associated risks. The majority (64%) of CEOs believe their businesses are not doing enough to manage the unintended consequences presented by AI, according to an EY Survey last year. That same survey says that 88% of these CEOs are investing in AI technology at their companies. This will be a major topic in the security community for years to come, so the more security leaders can embrace it, the greater their opportunity to make a tangible impact going forward.
Direct line to CEO is on the rise
One significant trend that continues to stand out and grow is the increasing number of CISOs who report directly to the CEO. This year, our data reveals a noteworthy jump, with 27% of CISOs reporting directly to the CEO in 2024, compared to 22% in 2023. The shift signifies a growing acknowledgment within organizations that cybersecurity is not just a technical concern but a strategic one that warrants a direct line to the highest levels of leadership.
Interestingly, the most substantial change in this year’s responses pertains to reporting structures. In 2023, 54% of CISOs reported to the CIO or CTO, but in 2024, that figure has decreased to 38%. This adjustment aligns with the desire among CISOs for a reporting line that better reflects the strategic importance of cybersecurity.
Diversity in reporting structures still exists, with some CISOs reporting to various executive roles such as the COO, General Counsel, CFO, and other non-technical functions. Nonetheless, the trend toward CISOs reporting to the CEO signals a shift in the recognition of cybersecurity as a vital business component.
Our data also reveals that there has been a 10% increase in CISOs reporting to the board monthly instead of quarterly in 2024. The majority (54%) still report at least quarterly, emphasizing the importance of transparency and communication between CISOs and their organizations’ governing bodies. Only 5% of CISOs never report out to their board. These metrics highlight the commitment to governance and oversight for cybersecurity initiatives across industries.
A Recruiter’s Perspective:
Over the last few years, I’ve been pleasantly surprised by the progress made with regards to CISO’s reporting structure. While I still subscribe to the concept that the person you report to matters more than the title, the shift of CEOs prioritizing a direct line to their security executive is promising. If you report to the CEO, great. If you don’t, it’s critical that the person you report to sees security as an enabler to their business versus a road block. This is where there has been tension, historically, between the offices of the CIO/CTO and CISO. I don’t advise against this reporting structure, but I believe it’s critical that the two functions have some autonomy and work together to achieve security goals without stifling innovation.
There are two main reasons for this shift to a direct-line CEO reporting relationship. One is the acceptance that security risks are not a siloed topic, and as a result of that business-wide impact, CEOs need a direct line to the leader who owns said risks. The other reason is the focus of theme four below; it’s that the CISO role is evolving and has taken ownership over other functions, which justifies their closer connection to the CEO.
CISO’s scope is broadening with several avenues of expansion emerging
It’s evident that the CISO role has been expanding for years and will continue to do so in 2024. CISOs are expected to take on more responsibilities beyond traditional cybersecurity domains, which reflects the interconnected nature of technology and security within organizations.
67% of CISOs anticipate owning IT functions outright in the near future, up from 53% in 2023. Their responses indicate a growing recognition of the synergy between IT and cybersecurity, with CISOs playing a more prominent role in shaping an organization’s overall technology strategy.
Likewise, 58% of CISOs foresee taking some level of ownership over data teams, which is an increase from 50% in 2023. The expanded responsibility underscores their critical role in safeguarding an organization’s most valuable asset—its data.
While 77% of CISOs had expected to own Privacy and Trust organizations in 2023, this number decreased to 67% in 2024. This adjustment could reflect changes in the organizational landscape or a reevaluation of reporting structures.
Among the most notable shifts is the expectation that CISOs will own product or engineering teams, which has surged to 58% in 2024 compared to 35% in 2023. The increase highlights the growing recognition of cybersecurity as an integral part of product development and engineering, which emphasizes the need for security-by-design principles.
With this expanded remit, it’s only natural that CISOs will have greater compensation expectations. According to our data, 70% of CISOs expect their compensation to grow over the next three years, with 22% expecting significant increases of at least 15%, up from 19% of CISOs who expected significant increases last year. However, there is a faction of CISOs (approximately 8%) who anticipate decreased compensation if the economy continues to face challenges, demonstrating the ongoing need for adaptability and resilience.
A Recruiter’s Perspective:
It makes sense that we’re seeing an increased remit for security executives as security events continue to make headlines and the risk landscape continues to expand. IT and security have always gone hand in hand, and with the increased publicity around breaches, demand for security expertise is at an all-time high.
A trend I’ve seen for years with my clients—and one that is well represented here—is the importance of ownership, or at least firm partnership, between security and product development. A growing number of companies have approached me about searches in which the CISO will own a team that overlaps directly with product development. That connection creates more synergy and understanding of security objectives within a company, and leads to more efficiency in the product development lifecycle.
There are still skeptics here who believe that security must remain completely autonomous to accomplish the goals of the organization. I don’t disagree, and there are many industries where that is the most viable option, but in an ever-changing landscape where technology is everyone’s job, no matter the industry, the more influence a security leader can have, the better.
Future outlook on the CISO role remains optimistic despite recent events
According to our data, 76% of CISOs (down just 4% from last year) maintain an optimistic view of the CISO role in the long term. An additional 16% of those surveyed see it as a positive career, but they also harbor a semi-negative outlook. They may acknowledge the complexities and challenges in the role while still finding value and opportunity in their positions.
Matching last year’s results, only 8% view the role as too risky. Therefore, even within an evolving landscape with inherent challenges, the outlook for a career as a Chief Information Security Officer remains largely optimistic. The majority of CISOs continue to believe in the importance and potential of their role, even in the face of evolving threats and responsibilities.
With the evolving threat landscape in mind, there are some consistent trends on what are the biggest threats facing security executives in 2024. The vast majority of CISOs surveyed outlined three major threats to their businesses. The top response was cyber/phishing attacks, which was the top response in 2023 as well. Additionally, the rise of AI in enabling these attacks was the second most significant threat, with company-wide issues like funding, alignment, and talent resources rounding out the top three.
A Recruiter’s Perspective:
There have been a couple of high-profile cases where CISOs were held accountable for a breach, which undoubtedly impacts how people view the future of the role. Most respondents shared that this has not changed their role beyond having more influence at the CEO and Board levels. Some mentioned elevated attention to D&O insurance inclusion (I’ve taken many calls on this exact subject), and some have even shared that their companies moved security out of the technology organization to mitigate the risk.
Security is too important of a topic for companies to leave their executives at risk, so I believe we will see a continued emphasis on ensuring CISOs are covered by D&O insurance policies. That will be made easier by the increasing remit and direct reporting lines covered above, but it will take continued efforts by CISOs to ensure they are protected. The security community certainly embraces the role of “firefighter” but they should not be at risk of personal harm in their efforts to do what is best for the company.
Survey Data & Additional Resources: