CISO: A Job in Search of a Description
Published 03/13/2023
By Manuela Italia, Co-Chair of CSA Italy's CisoRM Working Group
The massive increase in cyber attacks' volume and complexity accelerated by various and recent global events and new pressures coming from authorities and regulations are pushing organizations to discover and establish a CISO role to build and oversee appropriate Information Security Management Systems.
Italian organizations are aligned to this trend, also encouraged by the setup of the Italian National Agency for Cybersecurity (ACN) in 2021 that aims to protect the national cyberspace, sustain the digital development of the country, and promote public-private initiatives to strengthen the national cybersecurity and resilience posture.
In this context, the growth and evolution of the CISO role is as fast as it is not clearly outlined. Differences in core businesses, sizes, and culture of companies lead to a very fragmented situation when trying to understand where the CISO and its cybersecurity function sit in the organization.
- Am I asking for too much budget to execute the cyber strategy?
- Am I paid in line with the market?
- Am I asking for too many people for my team?
- Should my role include more or less responsibilities and authorities?
These are just a few of the questions that many CISOs and companies are trying to answer and that one year ago prompted the CSA Italy - CISO Cloud Committee to start the CISO Responsibilities Matrix (CISORM) project.
The CISORM framework was launched with the aim to help the CISO community gain a better understanding of this role and to provide CISOs with a tool to assess, represent, and benchmark her/his role. The CISORM methodology considers the role context (company industry and size, salary, contractual grade, years of experience, team size, annual budget, etc.) and different relevant factors (responsibilities, skill levels, and role impact effectiveness) for 8 Information Security domains and 45 sub-domains.
32 CISO Cloud Committee members anonymously completed the online CISORM survey and an initial data analysis and reporting has been conducted on this first data. Due to the limited size of the sample, at this stage this data should not be seen as a market reference benchmark. However, we are thrilled to unveil the first results' budget, salary, contract, reporting line, job title, and assigned responsibilities, together with a broad description of the CISORM methodology.
The CISO responsibility matrix (CISORM) is quite young and the roadmap for the next coming months is ambitious: becoming the barometer for the CISO community around the topic of “what does it mean to be a CISO today.”
We are excited to share this project with you and we believe collaboration is essential to advancing the CISORM framework and achieving our goals. That is why we welcome any feedback, suggestions, and ideas on how we can make it better. Please reach out to us at [email protected].
Related Articles:
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
5 Best Practices for Executive Reporting
Published: 11/13/2024
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation
Published: 11/04/2024