The second “CISO (Chief Information Security Officer) in the spotlight” survey analyses the evolution of the CISO’s role over the past two years in Luxembourg

Conducted by the CPSI (College des Professionnels de la Sécurité de l’information) and PwC Luxembourg, the survey shows that, despite being under-represented in management committees (only 13% occupy a seat), a CISO, today, serves as a technical expert with clear business understanding and a risk mindset. The study also shows that 76% of CISO's now hold a full-time position, compared to just 53% two years ago.

Rise of the CISO: The gradual coming of age of a role and an organisational culture

With the growing awareness that information security breaches expose organisations to severe operational, legal, financial and reputational risk, businesses are realising the benefits of embedding security consciousness, and hence the role of a CISO, into the organisational culture, and making it a core competency.

This is reflected in the latest CISO survey, conducted jointly by the CPSI and PwC Luxembourg. Compared to the results from the 2016 survey, this year’s report shows significant progress in various aspects related to a CISO’s role in an organisation.

There is a growing recognition of allocating a full-time role for the CISO/ISO (Information Security Officer) position. In 2016, just over half of the respondents reported that CISO/ISO roles were full-time. Today, over three quarters consider it to be a distinct, full-time job.

Whereas in 2016 no CISO/ISOs reported working at the executive committee level, today 13% report to the CEO. “The growing proximity to the CEO reflects the recognition of the CISO/ISO as being an executive level contributor, and the organisational seriousness towards information security,” said Greg Pitzer, Partner and Cybersecurity leader at PwC Luxembourg.


The report also shows that for nearly all companies, information security is a priority. As many as 65% of the companies that responded to the survey see it as being a necessity for their organisations. Companies that see information security as an enabler also value the opinion of their CISO/ISOs and take it into account in their decision making process. “If an existing configuration within a company affects the ability of a CISO/ISO to raise security concerns freely, they need to discuss this with the management to make sure they are involved in strategic information security-related decision-making,” added Pitzer.


A role both complex and gratifying 

Most CISO/ISOs (85%) admit that their jobs have become more complex than they were in 2016 due to the fact that the world has become increasingly interconnected and dependent on cloud technology. The key aspect that plagues CISO/ISOs is the reality that people are the weakest link in an organisation. The lack of qualified security professionals and negligent employees working in a complex IT environment are prone to cause the most damage.

Companies need to establish a cybersecurity culture where everyone has the responsibility to observe and promote security practices and to behave in a way that is aligned with the information security strategy of a company,” said Rodolphe Mans, President, CPSI.

But, despite the increasing complexity of their job, the majority (92%) of the CISO/ISOs consider their role to be great and satisfying. For more information, read the full report here.