Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/24/2016
03:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Meet The Fortune 100 CISO

Digital Guardian data shows that the typical Fortune 100 CISO is a white male with a background in IT security and a Bachelor's degree in business.

While still relatively new to the C-suite, the role of the chief information security officer (CISO) has become more prevalent as major breaches force companies to take a hard look at their security posture and whether or not they are appropriating the proper (human) resources to avoid a breach. More than half of businesses have a CISO in charge of their security, and even the White House--although perhaps a little late--is gearing up to hire its first federal CISO.  

As the CISO takes a permanent seat at the executive table, questions about what qualifies an individual for the position arise. Digital Guardian, a data protection company, researched the typical traits of today's CISO and produced an infographic revealing just what a typical Fortune 100 CISO looks like. 

It probably comes as no surprise that Digital Guardian found that most CISOs, 89%, are male, a number that largely reflects the gender breakdown of the information security market. “There is a growth in the demographic as security expands, but with all C-level positions, it takes time to get that change all the way up,” says Salo Fajer, CTO for Digital Guardian. 

One stat that Fajer found very interesting was the number of CISOs with an education in business who are entering the security world. According to the infographic, 40% of CISOs have business degrees, with information technology/information security and computer science following behind, with 27% and 23%, respectively. “It’s not necessarily surprising considering the need to keep the business model in mind as you calculate the risk with the security posture in mind,” Fajer says.   

Nearly 20% of CISOs have a backgrounds in military or government work, the second most common background after IT/IT Security (59%). To Fajer, this makes sense. CISOs are having to approach security with an investigative eye and focus on more than just layer defense, he says, and when CISOs have a background in military or government, it helps bolster the investigative skills of incident response teams.

Most CISOs haven’t logged many miles in their positions, however: 80% of CISOs have held their current position for less than five years. Fajer says there's a growing awareness of security as a high level concern within the organization rather than just a subset of IT operations. 

Faher says a few qualities that the infographic doesn’t highlight but are essential to success as a CISO are the ability to balance the needs of the business and the security posture, as well as knowledge of regulatory and investigative procedures.

Having the business acumen to understand the impact of a breach is the most important skill a CISO can have, he says. A myopic view that only includes the needs of your department just won’t cut it.  

Source: Digital Guardian
Source: Digital Guardian

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2016 | 8:31:43 AM
Re: BA degree in business?
The CISO is, in my mind, more on the financial side of the equation than the IT side of the equation -- especially if the CISO is also responsible for general data privacy measures/compliance.  Security, privacy, data protection -- these are all risks.  As such, they fall under the heading of risk management -- finance.

Compare the CIO, who is more involved with IT as a whole.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 12:05:18 PM
BA degree in business?
That is also surprising for me, you would expect BA I IT at least.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 12:03:13 PM
Re: OWASP top 10 CISO
Good point. An information security officer has to have a good understanding of both application and network architecture. It does not matter at what layer the vulnerability is. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:59:34 AM
Re: Who Fortune 500 CISOs listen to?
Good to know. I will check this. Everybody needs some type of security awareness training I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:57:45 AM
Re: interesting to know
It was surprising for me, I was expecting more diverse picture. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2016 | 11:54:57 AM
Typical CIO
 

Obviously the same characteristics as CIO and CTO. COO and CEO for that matter. 
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
3/27/2016 | 8:08:55 PM
OWASP top 10 CISO
Recently, we had at discussion at OWASP regarding the Top 10 CISO, from our point of view this person should have a programming background in order to make sure that application security gets the attention it needs. We are quite afraid that most CISO focuses only Network security and ignore App security.Also , a potential inability to communicate with Application Developer teams and understand their issues and needs.
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/27/2016 | 3:28:13 AM
Who Fortune 500 CISOs listen to?
Mr. Edgar Perez teaches a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he is offering cyber security workshops for boards of directors and CEOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
batye
50%
50%
batye,
User Rank: Apprentice
3/25/2016 | 11:38:15 PM
interesting to know
interesting to know, thank you
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...