Cybersecurity risks continue to grow as threats multiply and the costs associated with each security incident continue to rise. One survey shows that the global average cost of a data breach in 2024 stood at $4.88 million, a 10 percent year-over-year increase.
Chief Information Security Officers (CISOs) are at the center of assessing these risks. Over the years, however, this role has evolved from that of a more technical manager to one that aligns with business priorities and speaks the language of the executive suite. A recent report from Splunk found that enterprises recognize the growing importance of security executives: 82 percent of CISOs now report directly to the CEO, compared to only 47 percent in 2023.
In addition, the study claimed that 83 percent of CISOs now attend board meetings. (The Splunk survey was based on responses from 500 CISOs, CSOs and other cyber executives, as well as an additional 100 board members.)
CISO moving into the executive suite is only one change. As organizations have updated their IT infrastructure from on-premises to the cloud, and as the workforce becomes more distributed across multiple locations, attack services have expanded—and so have the risks. These business challenges continue to evolve the role of the CISO, including how CEOs and boards view the position, interact with cyber executives and respond to growing security risks.
“There has been a shift in CISO reporting structures that lean toward the senior leader with overall responsibility for business risk,” said Bruce Jenkins, CISO at Black Duck, told Dice. “The expanding and dynamic risk picture, along with changing reporting structures, create new conversations around the role of the CISO and the part they play in articulating software and cybersecurity risk management strategies to customers, partners and prospects.”
While cybersecurity’s importance is firmly recognized and stakeholders understand the impacts on the bottom line, boards and their CISOs still have trouble seeing eye-to-eye. The Splunk survey showed that only 8 percent of CISOs exceeded the board’s expectations. At the same time, only 29 percent of CISOs surveyed reported that their board includes at least one member with cybersecurity expertise.
While these obstacles exist, it’s important for CISOs—and those who aspire to cyber leadership positions—to develop the right skills to not only address the technical aspects of the job but also properly communicate risks, compliance and other security issues to the business and executive side of organizations.
“There are still many areas of misalignment, including what skills are most
important for CISOs to develop, how CISOs spend their time, and what strategies are
effective in persuading our boards for additional budget,” Michael Fanning, CISO of Splunk, wrote in the report.
While CISOs and aspiring security leaders typically have the technical know-how to succeed in these leadership positions, the Splunk survey and industry experts note that so-called soft skills are increasingly important.
What CISO Skills Remain in Demand?
Learning and developing new skills as a fully employed CISO can prove a challenge. Still, the Splunk report noted that CEOs and boards increasingly look for soft skills and business acumen in their security leaders. Cyber executives who can communicate risk to the wider business are in demand.
Among CISOs surveyed by Splunk, 63 percent cited leadership skills as the most important to develop – the highest percentage listed in the report. Other skills included:
- Collaboration (58 percent)
- Regulation and compliance knowledge (57 percent)
- Communication (47 percent)
- Business acumen (40 percent)
- Emotional intelligence (35 percent)
The fact that many CISOs need these skills is a testament to how the role has changed. Cybersecurity leadership now means more to organizations than someone who understands only the technical aspects of the job, said James Scobey, CISO with Keeper Security.
“As the CISO role has grown, so has the range of responsibilities,” Scobey told Dice. “Originally focused on technical expertise with some leadership and business acumen, today’s CISOs are expected to engage deeply with other C-level areas including legal, finance, HR and operations.”
As attacks and cyber incidents have increased over the past decade, CISOs are increasingly held responsible—sometimes legally. That makes communication and leadership skills, especially when communicating critical information up and down the chain of command, much more important, noted Devin Ertel, CISO at Menlo Security.
“Cyberattacks are getting riskier and more frequent, putting CISOs squarely in the hot seat to keep companies safe. It's not just about tech anymore, either; CISOs are expected to be risk managers, business strategists and boardroom communicators all rolled into one,” Ertel told Dice. “This increased responsibility, coupled with a cybersecurity talent shortage, has elevated the value of experienced CISOs considerably.”
Blending Technology Skills With Broader Objectives
While communication and leadership skills are important, CISOs will also need to blend those with their technical know-how.
For instance, Agnidipta Sarkar, vice president for CISO advisory at ColorTokens, believes that, over the next year, CISOs will see their jobs evolve toward more business enablement through Agile and collaborative cyber practices, balancing risks and opportunities.
Security leaders must also push business leaders to embed breach readiness and cyber-defense practices into business functions, making businesses breach-ready by design.
“Does this mean that CISOs will sacrifice their technical acumen? Certainly not. If anything, the technical capabilities will be leveraged to make the CISOs own the cyber security baton of the business for digital resilience,” Sarkar told Dice. “It will not be easy. Many would struggle and cyber defense evangelists will need to step in and help, but that confluence of technology, risk and business acumen is the future of CISOs.”
How Aspiring CISOs Can Develop Skills
While many CISOs have been in the cybersecurity business for years, younger tech and security professionals who aspire to the role can start now to develop a multitude of technical and business skills that can help later in their careers.
Dan Anconina, CISO at XM Cyber, suggests three ways to build CISO skills:
- Work at Cybersecurity Consulting Firms: Consulting firms typically serve clients across many industries, allowing tech pros to gain exposure to a variety of cybersecurity risks and challenges. This experience helps candidates understand how different sectors operate and the unique threats they face, all while remaining in one role.
- Join a Cybersecurity Vendor Serving Multiple Industries: Working for a cybersecurity company that provides products or services to clients across diverse sectors can give tech pros broad exposure to different security requirements. This includes helping customers address threats that span many industries, allowing pros to see the commonalities and differences in how each one manages security risks.
- Leverage Common Threats Across Industries: Although industries may differ, many cyber threats, such as data privacy breaches and information leakage, are increasingly universal as businesses become more digital. Understanding these common threats and how they apply across various sectors can enhance tech pros’ expertise without requiring changing industries.
“CISOs should focus on areas where they can drive significant impact, such as artificial intelligence (AI) and machine learning in cybersecurity, cloud security and continuous threat exposure management or CTEM,” Anconina told Dice. “The integration of AI to augment security operations and threat detection is a growing trend that forward-thinking CISOs should explore. Additionally, with the rise of remote and hybrid work environments, cloud security and zero trust architectures will remain high priorities.”
