Written with Zaklina Ber, senior research associate, Forrester

Forrester analyzed the career backgrounds of 168 chief information security officers (CISOs) with public profiles who are working for major organizations in Europe with listings in the highest stock market indexes in the UK (FTSE 100), France (CAC 40), Germany (DAX 30), Italy (FTSE MIB), Spain (IBEX 35), and the Netherlands (NL25). This helped us understand the educational and professional backgrounds of current CISOs and get a sense of diversity in leadership positions in the industry today. Unfortunately, we have a diversity problem in CISO leadership positions in Europe. We found that:

  • CISO positions in Europe are male dominated. In our sample across the largest organizations in Europe, only 8% of CISOs are female. In comparison, 13% of CISOs in the Fortune 500 of US organizations are female. Organizations need to take action — it’s taking too long for high-potential female talent to progress to leadership positions. Organizations need to implement mentorship and sponsorship programs for high-performing women on their security teams.
  • The diversity of educational backgrounds is more homogenous. Very few European CISOs come from non-technical liberal arts backgrounds compared with the US. The overwhelming majority of CISOs have risen to where they are from a technical degree to work in IT functions and then to the CISO role. The industry needs to work harder to promote individuals with more diverse educational backgrounds into CISO roles to take advantage of the skills and perspectives they have. Good security leaders need not only technical skills, but also an understanding of corporate risk management, politics, governance, financial planning, people management, and leadership skills.
  • The widely quoted two-year average tenure statistic is a myth. We found that the average tenure of CISOs in the European countries we surveyed was actually closer to the average four-year tenure found in the US Fortune 500. This shows that the conventional wisdom that CISOs survive for two years before becoming the archetypal sacrificial lamb is not quite borne out in reality.
  • Even European CISOs can’t escape the certification mill. The CISSP (Certified Information Systems Security Professional) and the CISM (Certified Information Security Manager) are the two most prominent certifications held by European CISOs. Security certifications are more prevalent among European CISOs versus US security leaders. Certifications in security are an unavoidable evil to get past initial screening efforts from recruiters who do basic keyword searches based on certifications to identify potential employees.

What this all means is that CISOs need to work harder to foster and promote diversity in their teams at all levels to build a pipeline of talent for future leadership positions within their organization and facilitate succession planning. For more information, please see my recently published report, available here for Forrester clients.