Information Security Officers (CISOs) are often given the mission of leading the convergence of physical and digital security for their organisations. How are those in these roles coping with the challenge?
C
Presented as rivals by some, cohabitors by others, and a cost-saving exercise by the Chief Financial Officer (CFO), convergence of physical and digital security is not for the weak-willed. It is not a one-size-fits-all solution, and many in both disciplines have been unprepared for this union.
The Chief Security Officer (CSO) of today is a strategic thinker, tech-savvy in their business leadership, and an effective risk manager who can navigate evolving threats and organisational dynamics.
The Chief Information Security Officer (CISO) retains the same qualities whilst being the accountable person for securing the organisation's data and technology infrastructure from cyber threats, now also managing AI integration and intrusion.
Both started their journeys without a career plan to the top, but such roles have developed to became pivotal as emerging risks are omnipresent.
A regulated landscape
The regulatory landscape provides both the CFO and CISO with the opportunity to meet an organisation's responsibilities in the UK and, if you trade with the EU, the compliance frameworks provided by GDPR and the EU AI Act. The Network and Information Security Directive 2 (NIS2), the EU-wide legislation on cybersecurity, provides legal responsibilities for entities to enhance the overall level of cybersecurity and standardise cyber resilience in the EU.
The National Cyber Security Centre (NCSC) promotes Cyber Essentials, the UK Government-backed certification scheme aimed at mainly small or medium-sized businesses to keep data safe. The NCSC reported that in the past 12 months, there were 7.7 million cyber attacks in the UK.
The NCSC has launched CISP, a free platform for cybersecurity professionals to collaborate on cyber threat information in a secure and confidential environment. In the UK, we rely on the 1990 Computer Misuse Act to prosecute hackers and online fraudsters. The forthcoming Cyber
27
hief Security Officers (CSOs) and Chief
Security and Resilience Bill, laid out in 2024, will seek to address the agility of recent attacks on the NHS, education sector, retailers and leading corporations.
What is the effect?
How are CISOs coping with increasing legal scrutiny and regulatory cyber oversight? Not well. According to recent research from the Information Systems Security Association (ISSA), over half of those surveyed claim that their job is stressful most of the time due to overwhelming workload, working with uninterested business managers, and keeping up with the security requirements of new business initiatives. A third say it is very likely or likely that they will leave their current job within 12 months. Nearly half have considered leaving cybersecurity altogether. Most claim they are frustrated because their organisation does not take cybersecurity seriously.
How is the CSO coping with increased regulation, reductions in physical budgets, and consistency of threats balanced against the boardroom's increasing risk appetite to deliver greater shareholder and executive wealth? In general, they are frustrated with unnecessary budget withholding until a crisis response is required, such as the assassination of a corporate executive. All operate in an increasingly interconnected, matrixed, technology-driven, and polycrisis global environment.
The ISSA research indicates that due to the age demographics of CISOs, there is a higher incidence of retirement, while others will move on to become better-paid portfolio CISOs or take field CISO positions with security technology vendors.
Within Europe, tech costs for cyber and early AI adoption have created revenues of £39 billion, predicted by Statista to reach nearly £100 billion in 2030. The average global cost of a cyber attack is £4 million per incident for corporate recovery, client restitution, and cybersecurity upgrades. Over half of consumers say they distrust a company after a cyber breach.
Future leadership and remuneration competition for qualified candidates is fierce. There is not a significant population of next-gen CISO candidates with the right C-suite experience to step up. This is where the CSO, who generally has a longer tenure in post, understands regulatory risk, adapts when needed to make strategic decisions, and delivers board
presentations, is qualified to take forward cybersecurity.
© CITY SECURITY MAGAZINE – SUMMER 2025
www.citysecuritymagazine.com
This is leading to pay inflation for both the CISO and CSO role and those in their reporting lines to the Chief Information Officer / Chief Technical Officer. In smaller organisations, there is an increasing trend of cyber-focused CISO/ CSO reporting to the CEO, as this critical function takes the brunt of hostile attacks, both from state actors and organised crime.
Pay has a multitude of factors, such as being greenfield, replacing an incumbent after years, responding to a loss, shareholder pressure, start-up, break-ups, dynamics of the sector, shape, and international reach. The top pay quartile in the UK for a CISO ranges from £215,000 to £330,000, and CSO is similarly matched. Both would be awarded long-term incentives, which should double their remuneration in a 5–8-year range. Sector bonuses are usually up to 50% of pay.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36
