Fortune 500 companies have seen the structure of their security operations teams evolve in recent years, with four of every 10 companies assigning a dedicated, deputy chief information security officer or an equivalent leadership role, according to a report released Thursday from IANS Research and Artico Search.
A deputy CISO steps in when the CISO is unavailable and is seen as the eventual successor to the CISO in the company’s risk management hierarchy, according to researchers.
“In practical terms, the deputy CISO often either holds a dual role as a functional department head who takes on additional executive leadership responsibility or operates as a chief of staff who also takes on CISO-like responsibilities that the CISO needs to delegate,” Nick Kakolowski, senior research director at IANS Research told Cybersecurity Dive via email.
Security team structures at Fortune 500 firms have expanded into at least four layers of specialists, according to the IANS-Artico report. The teams typically include leaders in security operations, managing identities and access, managing risk and compliance issues, and security architecture and engineering.
CISOs have increasingly been asked to work with senior management to deal with corporate governance issues and to engage board members and C-suite executives on regulatory matters, which means they need additional specialists to help oversee core security functions.
Board and C-suite engagement is now a standard practice at Fortune 500 companies, where about 95% of CISOs work directly with the board. About one-third of CISOs engage directly with the full board of directors, while two-thirds of CISO meet with risk or audit committees.
The report is a snapshot preview of a larger survey of 1,500 CISOs and other security professionals.
