The threat of cyberattacks keeps many US CEOs awake at night, but fewer than half of them have a CISO to check under their company’s bed for digital monsters.
Cyber-attacks were ranked as the No. 2 geopolitical concern in the Conference Board’s 2024 CEO survey. Yet only 45% of American companies have a chief information security officer, according to a Navisite poll from 2021, the most recent research on the issue.
Those numbers suggest a whole lot of businesses out there have no CISO. Let’s break down why so many companies don’t have one, how they’re managing cybersecurity without one, and nine key signs that a company does indeed need a CISO.
Why some firms go without a CISO
Size matters when it comes to hiring a CISO. Smaller companies simply may not need (or realistically be able to attract) a CISO.
“Just imagine you’re a 200-person company with one business line that’s not very complicated. Do you really need a full-time CISO? What are they going to do all day? It probably doesn’t make sense,” says Rob Black, CEO of Fractional CISO, a Boston-based firm providing companies with virtual and part-time CISO services. “If it’s a 200-person widget-maker, is there a CISO that wants to work for that organization? CISOs want interesting work,” he added.
That said, even businesses with sizable headcounts choose to forego the CISO role. “We run into 1,000-person companies all the time without a CISO, and maybe even larger,” says Black.
The cost to hire and retain a CISO is a major stumbling block for some organizations. Even promoting someone from within to a newly created CISO post can be expensive: total compensation for a full-time CISO in the US now averages $565,000 per year, not including other costs that often come with filling the position.
“If it’s a larger business then they’ll need to hire a team behind the (CISO). They’ll need architects, they’ll need a SOC, they’ll need engineers. So, then the cost of resources kind of expands,” says Sistla Vaishnavi, a UK-based principal at Riviera Partners, an executive search firm headquartered in San Francisco.
The Navisite survey suggests companies face another barrier to hiring a CISO: the never-ending talent gap. “(The) cybersecurity skills shortage … extends to the highest levels. Companies value and want cybersecurity leadership, but it is increasingly difficult to find and retain these individuals,” the Navisite study declared. In a nutshell, the global dearth of cyber talent discourages many firms from embarking on a lengthy, expensive CISO search that could ultimately prove fruitless.
Non-CISO cyber options
Who’s managing cybersecurity at organizations that don’t have a CISO? Navisite’s survey revealed 60% of companies rely on other parts of their organization to manage cybersecurity, such as IT, executive leadership or compliance staff.
In most cases, it’s probably the CIO. A 2023 report by Cybersecurity Ventures suggests CIOs are most likely to manage cyber at companies with no CISO. The study estimates approximately 90% of organizations with a full-time CIO do not employ a full-time CISO.
Running cybersecurity on top of their own duties can be a tricky balancing act for some CIOs, says Cameron Smith, advisory lead for cybersecurity and data privacy at Info-Tech Research Group in London, Ontario.
“A CIO has a lot of objectives or goals that don’t relate to security, and those sometimes conflict with one another. Security oftentimes can be at odds with certain productivity goals. But both of those (roles) should be aimed at advancing the success of the organization,” Smith says.
Though delegating cybersecurity to other people in your organization — CIO, CTO, IT director or compliance manager — is faster and cheaper than hiring a CISO, Vaishnavi warns of potential downsides to this stopgap approach:
- A CIO or CTO may not have the cybersecurity certifications and expertise a CISO would bring.
- CIOs and CTOs who add cybersecurity to their overloaded plates risk “spreading themselves too thin”.
- Cybersecurity may not get its own separate seat of influence at the boardroom table.
No CISO at the boardroom table can be perilous
In the event of a breach or hack, this lack of direct boardroom access can be disastrous.
“You don’t want to be going through multiple layers of command rather than going to the person who can actually give you the go or no-go to make decisions to protect the business. The decision-making timeline is significantly reduced as well (with a CISO),” she says.
A virtual CISO (sometimes called a fractional CISO or CISO-as-a-service) is one option for companies seeking to bolster cybersecurity without a full-time CISO. Black says this approach could make sense for companies trying to lighten the load of their overburdened CIO or CTO, as well as firms lacking the size, budget, or complexity to justify a permanent CISO. Most virtual or fractional CISOs:
- Are experienced former CISOs.
- Work remotely or hybrid.
- Work part-time for various clients simultaneously.
- Work on a temporary or renewable contract basis.
Though some people define a ‘virtual CISO’ as remote only, and a ‘fractional CISO’ as on-site, Black’s company Fractional CISO uses the terms interchangeably. Here’s how his firm helps companies that don’t have a full-time chief information security officer:
- Each client gets a virtual CISO plus a cybersecurity analyst.
- The fractional CISO performs board-facing duties (creating a cybersecurity roadmap, communicating with senior leadership).
- The analyst conducts risk assessments and gap assessments, performs vendor reviews, and edits security policy.
Costs can be much lower than a full-time CISO, especially since each client gets access to a part-time CISO and an analyst. “We have quite a big range with our clients, but the average client’s spend with us is a little over $100,000 a year,” says Black.
What if all of those options still aren’t enough? What are the signs you actually need a full-time CISO?
9 signs you need a CISO
You’re in a highly regulated industry
“Financial services, medical, health care, legal – those businesses will always need a CISO,” says Vaishnavi.
Black widens the CISO-ready scope further: “If you’re doing anything for the federal government or if you’re a public company, those (circumstances) all make sense.”
The tightening legislative environment around executive and corporate liability for cyber incidents is also motivating companies in non-regulated sectors to think about hiring CISOs.
“When GDPR was introduced in the EU and the UK, you could see a shift or increase in terms of people talking about security as a whole. That sort of thing has a very direct knock-on effect in terms of hiring trends,” says Vaishnavi.
You plan to go public
On its website, VC firm Andreessen Horowitz recommends that “all companies preparing for an IPO … designate a CISO who can implement the right IT controls, risk assessment, compliance testing, audit trails, and reporting functions in compliance with the Sarbanes-Oxley Act.”
You had a cyber incident
“As part of your root cause analysis, you might determine ‘why did we end up here?’ That would tell you, yeah, it’s time for the security role to be dedicated,” says Smith.
“It can kind of convert someone to become a true believer,” adds Black. “They have some horrible breach or incident and say hey, that just cost us $10 million. We would’ve been way better off if we’d just spent a fraction of that every year (on a CISO).”
Your peers have been breached
“Some companies are more forward-looking. Maybe they see a peer in their industry that’s had problems and they say you know what, we don’t want to be them,” says Black.
You want to stay on top of the expanding threat landscape
“Why is having a CISO important for some organizations now? I mean, the bad guys are making billions and billions of dollars from fraud, scams and attacks. Not mitigating that risk seems unwise,” says Black.
Your company is growing
“As the scale climbs — the number of people that work for you, the number of users, how much data you’ve got, how much revenue you’re turning over — all of these things play a big part in the decision that should go into whether you need to hire a CISO,” says Joe Head, founder of The Blueprint, a cybersecurity executive coaching firm in Henley-on-Thames, England.
Your board wants one
“We have seen smaller (companies) where there’s someone on the board who just says no, you have to (hire one) now,” says Black.
Your clients and prospects want one
Not having a CISO in place could cost your company business with existing clients or prospective customers who operate in regulated sectors, expect their partners or suppliers to have a rigorous security framework, or require it for certain high-level projects.
“If you’re selling IT and the large enterprise (customer) says ‘your security program is not good enough to comply with this thing or do this thing,’ you know that clearly they’re very concerned about security and you just don’t have a very strong (cybersecurity) program,” says Black.
Your VC or private equity fund wants one
“If you’re going through a funding round and you’re in an environment which is dealing with a lot of data or dealing with a lot of personal information, usually you have a CISO come on board at that point. I would say series A round or higher is usually the time,” says Vaishnavi.
‘CISO’ is more than a title
Head has seen a few companies take on a CISO based on the suggestion of a VC or PE fund. He argues, however, that the role must be treated as more than a technical manager hired to tick a box on a financing deal.
“A company should hire a CISO when they’re willing to invest in security and take cybersecurity seriously,” he says.
“They should hire one when they understand they’re hiring another business leader. But if you’re hiring a CISO and not giving them the responsibilities and the complexity of that level of position, then I would argue maybe you’re not ready for a CISO yet.”