What’s the profile of a Chief Information Security Officer (CISO) in Luxembourg? Where does he stand in the organigram? What challenges and opportunities has he? The « CISO in the Spotlight » survey, conducted by CPSI and PwC Luxembourg aims at shedding light on the CISO role in Luxembourg by looking at it from several perspectives.
A typical CISO has a highly qualified profile. He either has worked for ten years in security or 20 years in all sectors.
49% of CISO also have other roles like: Chief Risk Officer, Chief Information Officer, Chief Operating Officer, Data Privacy Officer, Compliance Officer, etc.
The survey shows a correlation between the size of the company and governance at CISO level. While in small to medium companies, 74% of CISOs report directly to the Board, in large ones only 50% of CISOs do so.
CISOs usually manage security through functional responsibilities. Very technical fields, such as network security, tend to be more outsourced than organisation and compliance matters. The use of partial outsourcing is preferred to total outsourcing.
CISO have a lot of different responsabilities types :
- 52% are not responsible for compliance
- 52% are not responsible for fraud management
- 37% are not responsible for physical security
- 26% are not responsible for BCP
- 50% have a hierarchical responsability for incident management
- 25% have a hierarchical responsability for protecting personal data
The most important success factor in a CISO’s job is the budget. 73% of our respondents said they’re pleased with the budget available. As far as constraints are concerned, 69% of them mentioned the complexity of IT systems.
The survey was carried out on a representative panel of CISOs working in companies of all sizes across numerous business sectors.