Last week, we published Forrester’s third CISO Career Paths report. This research involved an analysis of the career paths of Fortune 500 CISOs, looking into their education, tenures, and prior experiences of security leaders at some of the world’s largest companies. This data showcases existing trends and helps forecast what CISO roles will look like in the future for CISOs looking to move into larger roles, security leaders looking for their next step, or practitioners thinking of moving into leadership roles.
This blog highlights the interesting data from our research, as well as some items that were left on the cutting room floor. With the introduction over, let’s dive into the data.
International Women’s Day Comes With A Gut Punch For Women In CISO Roles
Despite an increased drive to address cybersecurity’s diversity problems, only 16% of CISOs are female — a mere 3-percentage-point increase from our 2021 research. This issue is only exacerbated when situating the female CISO within the wider C-suite: 79% of CIOs and 90% of CEOs are male.
But it gets worse from there. Out of our sample of 378, there are only 20 instances where a woman in a CISO role is supported by a woman in a CEO or CIO role. In contrast, there are 225 instances where a man in a CISO role is supported by men in CEO and CIO roles.
The solitary nature of these women’s CISO roles also severely impacts tenure. Women in CISO roles that lack other women in the C-suite have an average tenure of 3.8 years, compared to 5.4 years for the average tenure of men in CISO positions. The implications of a 19-month gap include: less time to continue long-term projects with strategic impact; the personal disruption that comes with job changes; and the low likelihood that a woman in a CISO role today will be backfilled by a woman in the role tomorrow.
Security Is Now A Core Competency … And CISOs Are Reaping The Benefits
CISOs have finally climbed their way up to break bread with the rest of the C-suite, moving from being regarded as technical specialists to business leaders. CISOs now have tenure parity with other C-suite execs — in fact, their tenure is longer on average than the CFO, CMO, and CIO. They are no longer replaceable technicians but rather form a core part of long-term executive strategy. Fifty-five percent of CISOs listed senior organizational titles such as VP, SVP, and director. Sixteen percent hold SVP titles, up from 11% in 2021. Of those with senior titles, 76% held this title from the start of their tenure as CISO, demonstrating the growing recognition of their importance from day one.
Like The Rest Of The Security Community, CISOs Are Ambivalent About Certifications
Forty-six percent of CISOs either do not have security certifications or do not value them enough to publish them professionally. Of those CISOs who publish their certifications, however, the average number of certifications held is 3.57. This demonstrates a significant split regarding how CISOs perceive security certifications. By the time one makes it into the C-suite, certifications provide minimal value, but some are proud of the work effort put in to obtain them. Read Rethink Your Reliance On Cybersecurity Certifications for a deeper dive on this topic.
The Cybersecurity Industry Welcomes People Without Degrees … But The C-Suite Does Not
Many security pros build successful careers without a four-year degree — including one of the authors of this blog who didn’t obtain his bachelor’s until his early thirties. When striving for the role of the CISO, our data shows a lack of education to be a major barrier. In fact, a four-year undergraduate education is seen as the absolute minimum for CISOs, who hold 1.7 degrees on average. Fifty-six percent hold a master’s degree, 9% hold three degrees, and an additional 10% hold at least one qualification from an executive education program.
The traditional educational trajectory of CISOs is to start by gaining technical skills and consolidate through developing business acumen. Fifty-three percent of undergraduate degrees earned by CISOs were in a technical science, technology, engineering, or mathematics (STEM) field. Sixty-seven percent of master’s degrees awarded were business-related, however. In fact, only 5% of master’s were security-specific.
In seeking to prove themselves as true C-suite members, CISOs see increased value in leveling up their business knowledge to tackle executive-level issues rather than further honing their security skills.
Succession Planning For CISOs Falls Short
Getting promoted to CISO is still a tough jump for internal candidates. Employers prefer to hire external candidates with CISO experience. This isn’t too surprising given the sample set of our data. Your first CISO role is unlikely to be with a Fortune 500 organization. Unfortunately, that also means, for promising leadership talent in the Fortune 500, they have to move out to move up. Our prior analysis showed that most CISOs take a stepping-stone route from the Fortune 500 up to the 250, the 100, and 50.
The majority of CISOs have already held the role before at another company, with most having almost two prior gigs (1.7) where they held CISO titles. Sixty-seven percent of organizations hired their CISO externally. Of those that went for an internal hire, the average time that the employee spent at the company before getting promoted amounted to just under 10 years. Expect to have to put the time and work in to climb the security ladder internally.
In total, the average time to become CISO from entering the workforce is over 20 years, emphasizing the longevity and experience required for success in the role.
For a look at this data and more, check out the research here: CISO Career Paths 3.0.
(primary data analysis conducted by and blog written with Zach Dallas)