Final week, we printed Forrester’s third CISO Profession Paths report. This analysis concerned an evaluation of the profession paths of Fortune 500 CISOs, trying into their schooling, tenures, and prior experiences of safety leaders at a number of the world’s largest firms. This knowledge showcases present developments and helps forecast what CISO roles will appear to be sooner or later for CISOs trying to transfer into bigger roles, safety leaders searching for their subsequent step, or practitioners pondering of transferring into management roles.

This weblog highlights the attention-grabbing knowledge from our analysis, in addition to some gadgets that had been left on the slicing room ground. With the introduction over, let’s dive into the info.

Worldwide Girls’s Day Comes With A Intestine Punch For Girls In CISO Roles

Regardless of an elevated drive to deal with cybersecurity’s variety issues, solely 16% of CISOs are feminine — a mere 3-percentage-point improve from our 2021 analysis. This situation is barely exacerbated when situating the feminine CISO inside the wider C-suite: 79% of CIOs and 90% of CEOs are male.

But it surely will get worse from there. Out of our pattern of 378, there are solely 20 cases the place a lady in a CISO function is supported by a lady in a CEO or CIO function. In distinction, there are 225 cases the place a person in a CISO function is supported by males in CEO and CIO roles.

The solitary nature of those girls’s CISO roles additionally severely impacts tenure. Girls in CISO roles that lack different girls within the C-suite have an common tenure of three.8 years, in comparison with 5.4 years for the common tenure of males in CISO positions. The implications of a 19-month hole embody: much less time to proceed long-term tasks with strategic influence; the private disruption that comes with job adjustments; and the low chance {that a} girl in a CISO function at the moment might be backfilled by a lady within the function tomorrow.

Safety Is Now A Core Competency … And CISOs Are Reaping The Advantages

CISOs have lastly climbed their means as much as break bread with the remainder of the C-suite, transferring from being thought to be technical specialists to enterprise leaders. CISOs now have tenure parity with different C-suite execs — in truth, their tenure is longer on common than the CFO, CMO, and CIO. They’re now not replaceable technicians however fairly type a core a part of long-term govt technique. Fifty-five p.c of CISOs listed senior organizational titles comparable to VP, SVP, and director. Sixteen p.c maintain SVP titles, up from 11% in 2021. Of these with senior titles, 76% held this title from the beginning of their tenure as CISO, demonstrating the rising recognition of their significance from day one.

Like The Relaxation Of The Safety Neighborhood, CISOs Are Ambivalent About Certifications

Forty-six p.c of CISOs both don’t have safety certifications or don’t worth them sufficient to publish them professionally. Of these CISOs who publish their certifications, nonetheless, the common variety of certifications held is 3.57. This demonstrates a big cut up relating to how CISOs understand safety certifications. By the point one makes it into the C-suite, certifications present minimal worth, however some are pleased with the work effort put in to acquire them. Learn Rethink Your Reliance On Cybersecurity Certifications for a deeper dive on this matter.

The Cybersecurity Trade Welcomes Individuals With out Levels … However The C-Suite Does Not

Many safety execs construct profitable careers and not using a four-year diploma — together with one of many authors of this weblog who didn’t get hold of his bachelor’s till his early thirties. When striving for the function of the CISO, our knowledge reveals an absence of schooling to be a serious barrier. In reality, a four-year undergraduate schooling is seen as absolutely the minimal for CISOs, who maintain 1.7 levels on common. Fifty-six p.c maintain a grasp’s diploma, 9% maintain three levels, and an extra 10% maintain a minimum of one qualification from an govt schooling program.

The normal academic trajectory of CISOs is to start out by gaining technical abilities and consolidate via growing enterprise acumen. Fifty-three p.c of undergraduate levels earned by CISOs had been in a technical science, expertise, engineering, or arithmetic (STEM) area. Sixty-seven p.c of grasp’s levels awarded had been business-related, nonetheless. In reality, solely 5% of grasp’s had been security-specific.

In in search of to show themselves as true C-suite members, CISOs see elevated worth in leveling up their enterprise data to deal with executive-level points fairly than additional honing their safety abilities.

Succession Planning For CISOs Falls Brief

Getting promoted to CISO remains to be a troublesome leap for inside candidates. Employers choose to rent exterior candidates with CISO expertise. This isn’t too shocking given the pattern set of our knowledge. Your first CISO function is unlikely to be with a Fortune 500 group. Sadly, that additionally means, for promising management expertise within the Fortune 500, they’ve to maneuver out to maneuver up. Our prior evaluation confirmed that the majority CISOs take a stepping-stone route from the Fortune 500 as much as the 250, the 100, and 50.

The vast majority of CISOs have already held the function earlier than at one other firm, with most having nearly two prior gigs (1.7) the place they held CISO titles. Sixty-seven p.c of organizations employed their CISO externally. Of people who went for an inside rent, the common time that the worker spent on the firm earlier than getting promoted amounted to simply below 10 years. Count on to should put the time and work in to climb the safety ladder internally.

In whole, the common time to grow to be CISO from coming into the workforce is over 20 years, emphasizing the longevity and expertise required for fulfillment within the function.

For a have a look at this knowledge and extra, try the analysis right here: CISO Profession Paths 3.0.

(main knowledge evaluation performed by and weblog written with Zach Dallas)