Factory lines? Spacecraft? Animatronic pizza mice? If your firm has any of those, it might be time to hire a CISO.
Restaurant Business Magazine, for example, recently reported on the trend of restaurant chains hiring CISOs. Nathan Hunstable, who joined Chuck E. Cheese owner CEC Entertainment this year, has responsibilities including governance, risk, and compliance (GRC) strategy, as well as supervising franchisees and employee training.
“If you get into the weeds of the technical, most of them just aren’t going to follow it,” Hunstable told the magazine of CEOs, emphasizing that the role now centers around explaining security issues in terms of business risk.
“It’s kind of a nuclear race in the CISO space,” Rajiv Lulla, a partner in advisory firm Caldwell’s data, digital, and technology leaders practice, told IT Brew.
CISO time
The CISO role is popping up in many industries that now manage large data sets and thus have to secure them, according to Lulla. He pointed to retail, which has to manage payments and supply chain security, and manufacturers of automated agricultural equipment. Lulla has also noticed competition for CISOs in exotic sectors ranging from quantum computing to mining and metal startups.
Anant Adya, EVP of digital services consultancy Infosys, told IT Brew demand for CISOs is rising quickly in the manufacturing sector, where he said some companies have historically lacked anyone in that role despite revenues of between $2 to $10 billion.
“We are increasingly seeing these companies move forward with a CISO role as cybersecurity becomes a critical board imperative,” Adya told IT Brew via email.
Lulla said initial applications of big data tend to be oriented towards top-line growth, followed by internal efficiencies and automation. Each successive stage requires more connectivity, whether it’s gathering data from legacy systems, decades-old manufacturing lines, or self-driving tractors.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Once you have connectivity, then you need security,” Lulla said. “You’re realizing the top-line growth…Man, you gotta make this secure.”
Adya noted CISO roles increasingly demand significant collaboration across departments ranging from legal and compliance to communications and marketing, in addition to their tasks in the realms of IT and boardroom.
“Previously, CISOs focused mainly on protecting against threats and driving compliance,” he wrote. “However, the role now requires a strong business focus.”
Can’t afford one?
Lulla advises that any company worth around $20 to $30 million have an executive with a portfolio explicitly covering cybersecurity, especially firms that are vendors for experiencing rapid inorganic growth.
“Flying without a CISO is like having no insurance, right?” Lulla said.
However, Lulla acknowledged a CISO doesn’t come cheap. He estimated the role demands a salary of around $200,000–$250,000, plus equity and other compensation totaling around half a million dollars annually. That’s in line with recent survey data from IANS Research, which pegged the average salary of a CISO in the US or Canada at around $565,000 (though the median was a slightly more affordable $403,000).
There’s good news for organizations who aren’t ready to make that kind of investment—it’s easy to hire a virtual or fractional CISO. Virtual CISOs are outsourced, third-party security experts. Conversely, a fractional CISO works on a part-time or project basis, and are typically senior IT staff holding down multiple functions or an external contractor.
The biggest challenge facing a fractional CISO is culture, according to Lulla, since a “big element in a CISO’s work is overcoming internal inertia.”
“Building a security-first culture, you can’t do that as an outside fractional CISO if you’re not collaborative, you’re not influential, you don’t have credibility.”