The chief information security officer (CISO) role is one of the more stressful leadership positions in enterprise technology, especially with increasing attacks and threats from cybercriminals and nation-state actors. Now, research shows that added responsibilities can raise that pressure and shorten the tenure of cybersecurity leaders.
A recent study released by Deloitte and the National Association of Chief Information Officers (NASCIO) found that 86 percent of state CISOs report their responsibilities are increasing, including understanding and setting policies for technologies such as generative artificial intelligence (AI) as well as securing users’ data privacy. In turn, these changes are altering the job descriptions of security leaders and reducing the time they work within these leadership roles.
Digging into the numbers, the survey found about 71 percent of respondents believe the risk of AI-enabled threats is "high," but 41 percent lack confidence in their team's ability to handle them.
The study also noted that, in 2022, about 60 percent of these CISOs had a role in maintaining data privacy. That number jumped to 86 percent this year as more laws have been enacted to protect U.S. consumers. “In some cases, CISOs may be performing dual roles as both CISO and chief privacy officer (CPO), while in other cases, the CPO might be reporting to the CISO,” the study noted.
These additional and growing responsibilities, coupled with daily threats and concerns over budget dollars, are slashing the time state CISOs stay in their positions. The study found the median tenure of these security leaders is now 23 months, down from 30 months reported two years ago.
The Deloitte and NASCIO survey gives additional credibility to other reports that CISOs feel burned out by the changing nature of the position, constant threats, and concerns over budgets. In turn, as many as three-quarters of security executives want to change jobs.
“The NASCIO report highlights a concerning trend in the cybersecurity field, particularly for those eyeing leadership roles,” said Omri Weinberg, co-founder and chief revenue officer at security firm DoControl. “The shrinking tenure of CISOs is a red flag we can't ignore.”
As the CISO role continues to evolve—with new threats, updated technologies, budget pressure, business considerations, a tougher regulatory environment, and so on—those tech and security professionals aspiring to move up the management track must begin learning how these positions are changing and what skills they need to master to ensure they can secure a longer tenure in a leadership role.
“If you're looking to climb the career ladder in cybersecurity, you need to be prepared for a constantly evolving role that carries increasing legal and regulatory responsibilities,” Weinberg told Dice. “The CISO position isn't just about technical know-how anymore—it's about being a strategic business leader who can navigate complex policy landscapes, manage diverse teams and communicate effectively with the board and frontline employees.”
AI Skills For Aspiring CISOs
The Deloitte and NASCIO study offers a mixed view of how these state CISOs view their staff: Approximately 47 percent believe they have the right mix of skills and competencies for the jobs, while about 50 percent take the opposite view. “In a field changing so rapidly and with new threats constantly emerging, keeping knowledge and skills up to date can be challenging,” the report noted.
Since a new generation of CISOs and security leaders will be drawn from these ranks, experts noted that gaining additional skills now can help as tech and security pros move up the career ladder. In addition, these skills can help prepare future leaders to navigate the changing nature of the position.
Unsurprisingly, knowledge of AI and its impact on the cybersecurity field is first on the list of desirable skills. “Any CISO in 2024 must have a fair understanding of how AI tools work, how they can be used for aiding in cybersecurity operations and how their negative leverage can be contained,” Agnidipta Sarkar, vice president for CISO advisory at security firm ColorTokens, told Dice.
For future CISOs, AI knowledge is critical to how the technology is changing the technical aspects of cybersecurity—attacks using generative AI to craft better phishing emails, for example—and how these tools and platforms are changing the very nature of business.
“Before taking on a higher position like CISO, you need to develop a broad skill set. Technical expertise is a given, but you also need strong business acumen, excellent communication skills, and the ability to think strategically,” Weinberg noted. “Experience in risk management, compliance, and incident response is crucial. Additionally, you should be comfortable with emerging technologies like AI and understand their security implications.”
The NASCIO report makes the same case for developing AI skills: “Cybersecurity issues will probably continue to escalate—especially with gen AI applications rapidly multiplying—and the CISO role is likely to continue expanding.”
Future CISOs Need to Look Beyond Tech
While AI is viewed as one of the more valuable new skills tech pros must learn on their way to a leadership position, several cyber experts noted that the ability to communicate effectively with departments outside of IT and security can help future CISOs better handle their jobs.
“You’ll need to effectively communicate security issues to executive leadership and stakeholders, secure the necessary funding for cybersecurity initiatives, and lead a team of professionals while aligning security objectives with business goals,” Jason Soroko, senior fellow at Sectigo, told Dice. “Be prepared for heightened accountability and potential impacts on work-life balance due to the demanding nature of the role.”
“At a minimum, you need to know about the business, the markets it operates in, the criteria for success and failure and how digital systems contribute to that,” Sarkar noted. “Ideally you should know about what makes the primary line of business owners win or lose, and the indications of winning against competition. A fair idea of budgeting cycles and criteria, the attitude towards insurance and managing workforce and contractors is essential, too.”
Other industry insiders also see effective communication as an underrated skill that CISOs will need as cybersecurity risk continues to affect the bottom line of many organizations.
By looking for candidates who understand business, some companies are beginning to expand into areas outside of traditional IT and cybersecurity to find potential CISO candidates, observed Casey Ellis, founder and chief strategy officer at Bugcrowd.
“The role of a security executive is technical, financial and has a strong component of internal and external evangelism,” Ellis told Dice. “The good news is that this means the potential talent pool is a lot broader than most would normally assume, but the important thing to consider is that it's extremely rare to find individuals with skills in all three of these directions, so as a new leader you'll almost invariably need to learn to drive areas of business that you are less familiar with.”
Compliance and Legal Issues
Another area to consider is how legal and compliance considerations could affect the CISO role and whether there are skills to help tech and security pros better understand these issues and how they can impact the organizations and themselves personally.
Several experts noted that some CISOs have recently run afoul of the law or federal regulators following a cybersecurity incident or data breach. It’s also a significant reason why many CISOs leave after two years or fewer in the position.
“As attacks have gotten more sophisticated and frequent, public and government scrutiny has also increased,” Darren Guccione, CEO and co-founder at Keeper Security, told Dice. “When security breaches or compliance failures occur, CISOs may even face potential legal repercussions, including civil or criminal liability. The combination of rising expectations, increasing pressure to prevent breaches and the potential for personal liability compound the challenges that CISOs face, which may be contributing to shorter tenures as they navigate an increasingly demanding role in a fast-changing landscape.”