A CISO’s job in 2024 is in flux. It has evolved from technical, to strategic, to business leadership and sometimes being the legal fall guy. Those takeaways are from keynotes, roundtables and conversations with chief information security officers at the recent RSA Conference.
"What we are seeing at a high level is a market where the expectations around the CISO role are transforming from a tech leadership role into more of a business risk executive role,” said Steve Martano with Artico Search during the RSAC panel "State of the CISO 2024: Doing More With Less."
Topping his list of pressing CISO issues are tightening budgets, a more complex threat environment, advanced AI tools, new regulatory mandates and increased anxiety over new and emerging threats.
Those trends are pushing CISOs to go beyond their cybersecurity focus and forcing them to consider new nation-state adversaries, new attack surfaces and new AI shadow IT headaches.
CISO juggling act
Harold Rivas, CISO at Trellix, described this conundrum as CISOs having high responsibilities that too often come with low authority within the enterprise.
He said CISOs need to juggle three hats — not one. Speaking at an RSA Conference session, Rivas said those hats include architect, operator and connector. The architect aligns business with tech priorities. The operator understands and puts threat intelligence into the context of business operations. As a connector, a CISO must communicate clearly with executive leadership and boards.
“As we see this CISO role evolving, we're seeing scope creep continue dramatically each year,” Martano said. Having a larger stake in the enterprise tech stack is not a bad thing, he said, so long as resources and executive board access also follows suit.
Money matters
In 2024, staff and compensation represent 38% of a security budget, according to Martano.
“CISOs consistently tell most of their budget is going to tools to support a business goal,” he said. “Where we can't get enough money is hiring staff."
Special RSAC 2024 CISO Coverage
Attracting and retaining top cybersecurity talent remains a significant challenge, said Bryan Palma chief executive officer, Trellix. “That battle is ongoing and organizations need help to attract and retain top talent,” Palma said.
Other CISOs observed that positive hiring trends for employers are shifting thanks to a post-pandemic new normal and a tightening tech sector. The biproduct is improved employee retention and a cooling of the corporate compensation wars to lure talent. They explain a shift from an all-remote workforce to one where employees spend several days a week in an office spurs better peer and manager relationships, which has helped with job retention and satisfaction.
“If they're satisfied with their manager and feel there is opportunity for upward mobility, that’s going to help retain talent,” Martano said.
CISOs navigate regulatory and legal minefields
“The role of chief information security officer (CISO) has never been more challenging or scrutinized. Escalating cyber threats, tightening regulations, and increasing responsibilities place CISOs at the front lines of digital defense and corporate accountability,” wrote Yoran Sirkis, CEO, Seemplicity in a recent SC Media column.
Sirkis cited last year’s Securities and Exchange Commission actions against SolarWinds and its CISO with misleading investors about cybersecurity practices and known risks. The conviction of former Uber Chief Security Officer Joseph Sullivan and new SEC cybersecurity disclosure requirements introduced in late 2023 exacerbate these concerns.
“The case not only highlights the company's oversights but also underscored a worrying trend: the growing personal accountability for CISOs in matters of security failures and disclosures,” Sirkis wrote.
Sirkis and other CISOs caution that an uptick in legal actions could have repercussions for cyber executives more focused on legal versus cyber defenses. Demanding more detailed disclosures requires a balance between securing the organization and managing personal liability, which could result in defensive practices and an environment of mistrust, Sirkis said.
CISOs Ponder a Path Forward
To navigate these challenges, CISOs need stronger alignment with boards and CEOs, open communication channels, adequate resources, and a corporate culture prioritizing cybersecurity. This support is essential for CISOs to protect their organizations and align with evolving regulatory requirements, ensuring a resilient corporate infrastructure.
"As we move into the era of possibility, the need for a collaborative approach in cybersecurity is paramount. The work of CISOs will shift dramatically, necessitating a stronger community and shared defense strategies to combat increasingly complex threats," said Bryan Palma Chief Executive Officer, Trellix at "CISO Confidential: What Separates the Best from the Rest."
The CISO’s role, he said, always grows more complex — as do cyberthreats. That’s why it’s critical for CISO collaboration, but also partnerships with regulators, policymakers and customers to create a “shared defensive strategies,” Palma said.
"When we ask CISOs what’s needed most to improve your organization's capabilities to defend against new cyberattacks, it wasn't new LLM models, algorithms or machine learning… The No. 1 answer was industry peers sharing insight,” Palma said.
(Editor's Note: This is the first in a series of articles to feature the 15 Top Cybersecurity Trends of 2024 & 2025)
