More and more businesses now have CISOs - but they're increasingly taking the blame for attacks

What is the role of the Chief Information Security Officer (CISO)? A new report has suggested it mainly serves as a scapegoat for all cybersecurity incidents, and then some.

Fastly surveyed 1,500 global IT decision-makers on their opinions, and found while the number of newly appointed CISOs continues to grow, many respondents still don’t properly understand the role.

The report found the recent CISO hiring boom has consolidated, as in 2022, it was 120%, and has now fallen to 73% in 2023, meaning nearly three-quarter (73%) of UK and Irish businesses now have a CISO, and a further 15% are planning to hire one in the next two years.

Confusion

But many still don’t understand the role. More than a quarter (27%) think CISOs are blamed too often for things out of their control – a sentiment that has persisted over the years (25% in 2021 and 30% in 2022).

When it comes to identifying roles, responsibilities, and expectations of CISOs, IT pros are somewhat confused: 2 in 5 (39%) believe CISOs need to have an in-depth understanding of all areas of IT (down from 54% a year ago), while a quarter (23%) think they were given too much legal and operational responsibility (down from 34% a year ago).

“Our data suggests there still exists confusion over what the role of the CISO’s actually entails,” said Fastly’s CISO Marshall Erwin. “This disparity of opinion highlights how the role has evolved in recent years, particularly with challenges to organisation’s security postures and growing threat landscape.”

Until this year, CISOs were confined to IT and risk management, Erwin added, saying that things changed this year. Now, CISOs are increasingly being perceived as business leaders, responsible for the strategic direction of an organization’s cybersecurity strategy. That is, he points out, where the lack of understanding about the role comes from in the first place. “Within two years, the majority of UK and Irish businesses will have filled the CISO role. For them to work effectively, there is clearly a need for organizations to develop greater understanding of the role amongst IT departments.”