Attacks/Breaches
3/24/2016
03:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Meet The Fortune 100 CISO

Digital Guardian data shows that the typical Fortune 100 CISO is a white male with a background in IT security and a Bachelor's degree in business.

While still relatively new to the C-suite, the role of the chief information security officer (CISO) has become more prevalent as major breaches force companies to take a hard look at their security posture and whether or not they are appropriating the proper (human) resources to avoid a breach. More than half of businesses have a CISO in charge of their security, and even the White House--although perhaps a little late--is gearing up to hire its first federal CISO.  

As the CISO takes a permanent seat at the executive table, questions about what qualifies an individual for the position arise. Digital Guardian, a data protection company, researched the typical traits of today's CISO and produced an infographic revealing just what a typical Fortune 100 CISO looks like. 

It probably comes as no surprise that Digital Guardian found that most CISOs, 89%, are male, a number that largely reflects the gender breakdown of the information security market. “There is a growth in the demographic as security expands, but with all C-level positions, it takes time to get that change all the way up,” says Salo Fajer, CTO for Digital Guardian. 

One stat that Fajer found very interesting was the number of CISOs with an education in business who are entering the security world. According to the infographic, 40% of CISOs have business degrees, with information technology/information security and computer science following behind, with 27% and 23%, respectively. “It’s not necessarily surprising considering the need to keep the business model in mind as you calculate the risk with the security posture in mind,” Fajer says.   

Nearly 20% of CISOs have a backgrounds in military or government work, the second most common background after IT/IT Security (59%). To Fajer, this makes sense. CISOs are having to approach security with an investigative eye and focus on more than just layer defense, he says, and when CISOs have a background in military or government, it helps bolster the investigative skills of incident response teams.

Most CISOs haven’t logged many miles in their positions, however: 80% of CISOs have held their current position for less than five years. Fajer says there's a growing awareness of security as a high level concern within the organization rather than just a subset of IT operations. 

Faher says a few qualities that the infographic doesn’t highlight but are essential to success as a CISO are the ability to balance the needs of the business and the security posture, as well as knowledge of regulatory and investigative procedures.

Having the business acumen to understand the impact of a breach is the most important skill a CISO can have, he says. A myopic view that only includes the needs of your department just won’t cut it.  

Source: Digital Guardian
Source: Digital Guardian

Emily Johnson is an Associate Editor on UBM America's Content Marketing team. Prior to this role, Emily spent four and a half years in content and marketing roles supporting the UBM America's IT events portfolio. Emily earned her B.A. in English from the University of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2016 | 8:31:43 AM
Re: BA degree in business?
The CISO is, in my mind, more on the financial side of the equation than the IT side of the equation -- especially if the CISO is also responsible for general data privacy measures/compliance.  Security, privacy, data protection -- these are all risks.  As such, they fall under the heading of risk management -- finance.

Compare the CIO, who is more involved with IT as a whole.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 12:05:18 PM
BA degree in business?
That is also surprising for me, you would expect BA I IT at least.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 12:03:13 PM
Re: OWASP top 10 CISO
Good point. An information security officer has to have a good understanding of both application and network architecture. It does not matter at what layer the vulnerability is. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:59:34 AM
Re: Who Fortune 500 CISOs listen to?
Good to know. I will check this. Everybody needs some type of security awareness training I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:57:45 AM
Re: interesting to know
It was surprising for me, I was expecting more diverse picture. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:54:57 AM
Typical CIO
 

Obviously the same characteristics as CIO and CTO. COO and CEO for that matter. 
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
3/27/2016 | 8:08:55 PM
OWASP top 10 CISO
Recently, we had at discussion at OWASP regarding the Top 10 CISO, from our point of view this person should have a programming background in order to make sure that application security gets the attention it needs. We are quite afraid that most CISO focuses only Network security and ignore App security.Also , a potential inability to communicate with Application Developer teams and understand their issues and needs.
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/27/2016 | 3:28:13 AM
Who Fortune 500 CISOs listen to?
Mr. Edgar Perez teaches a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he is offering cyber security workshops for boards of directors and CEOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
batye
50%
50%
batye,
User Rank: Apprentice
3/25/2016 | 11:38:15 PM
interesting to know
interesting to know, thank you
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.