After months of research and analysis, we are releasing the most complete study on the 2023 Fortune 500 Chief Information Security Officers (CISOs) and want to offer up some observations you may find interesting. Most of the lists of the Fortune 500 CISOs on the internet are from previous years and are now significantly outdated.
In addition, they only provide names, companies, and titles. I wanted to go much deeper. As a Retained Executive Search firm that specializes in placing CISOs and their direct reports, we are deeply engrained in the CISO community and knew it could be a highly useful resource.
This list is always changing. We have a high degree of confidence that most of the data is correct as of November 2023. However, every time we reviewed the data over the past few months, more changes have occurred. We have changed over 100 of the individuals and updated all 500 profiles. Our goal is to continuously update this list until the 2024 Fortune 500 is updated, then we will rework it entirely. Please help us keep this list updated. If you have corrections, updates, or suggestions, please submit them here.
Why is this list needed?
- Complexity of the CISO Role: It shines a light on what is the most complex and difficult executive role proven by the shortest retention rate of all the executive positions. The CISO position often has an extraordinarily broad list of responsibilities. Here’s a quick glimpse of those responsibilities: Personas of a CISO.
- Support for the CISO: The CISO role is frequently a high-stress, under-appreciated, and under-funded position. In a recent Fortify Experts leadership survey, 64% of leaders felt they were underfunded and understaffed. CISOs have all the pressure to protect the company, but often not the support to do it effectively.
- Lack of CISO: 19% (94) of Fortune 500s do not have a dedicated CISO. Many Fortune 500s have not elevated security to the executive level.
- Diversity: Raise the level of visibility on the lack of diversity within the Fortune 500 CISO position.
We have scoured all of our data sources and tried to cross-reference them to ensure our list is as accurate as possible. Here’s a sample of the data sources used.
- Personal LinkedIn Networks: I am personally connected with 30,000 people over 10,000 ow which are security leaders. Plus, our team is directly connected with similar-sized LinkedIn networks.
- Talent Management Database: We are constantly interviewing, monitoring and updating over 20,000 security leadership profiles, plus leverage AI to scan for public profile changes.
- LinkedIn Recruiter License: The LinkedIn Recruiter tool allows us to access to all of the LinkedIn profiles. Most people are limited to only seeing within 3 degrees of their connections It also gives us powerful filtering and discovery tools, plus allows us to set up CISO job change alerts.
- CISO Forums: We host monthly CISO Forums to stay up to date on current trends and changes within the industry.
- Cybersecurity DIVAS: We started the non-profit Cybersecurity DIVAS to promote the successes of women in security and to build mentorships to improve diversity in security. See the list of over 200 Cybersecurity DIVAS (women security leaders) who have been incredibly impactful in Security.
- Other Data Sources: We subscribe to many data tools such as ZoomInfo, Checkmate, and SalesQL, plus we belong to security organizations such as Infragard, ISSA, ISACA, etc.
F500 List Observations:
Elevating the Importance of the Role: With 19% of the Fortune 500 firms (94 of them) not having a designated CISO, does it send the wrong message to the public and investors that those companies either view security as a technical problem or it is not critical to their success?
Fifty-one (10.2%) of the F500 firms without a CISO designate the Chief Information Officer (CIO) as their acting CISO. Most security executives criticize this approach, because they say that the CISO role can be in direct opposition to the CIO. They say it is like the “fox watching the hen house” because both roles have competing agendas and budgets.
In addition, the combined CIO/CISO role is criticized because of the breadth of responsibilities required by the CISO. This often includes risk management, governance, compliance, 3rd party assessments, technical controls, pen testing of systems, security engineering, and architecture. Critics say this addition is too much for a CIO of a major corporation to oversee adequately.
Seventy-four of the 94 firms without CISOs, designate a Director level resource as the top security person. Most often this is a Director of Security or Information Security that reports to the CIO.
In 2019, HelpNet Security reported that 38% of the F500 did not have a CISO. Today it is down to 19%. While this is a significant improvement, the increasing number of breaches (2023 is the worst year ever) and the severity of them, the fact that 94 major corporations still do not have a dedicated CISO is pretty eye-opening.
To elevate security across public companies, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules that go into effect on Dec 18th, 2023. The new rules require companies to disclose their cybersecurity risk management strategies and governance policies. Plus, they require companies to file disclosures within four business days of experiencing a material (i.e. potential stock impacting) cyber-incident.
The goal of the SEC was to put additional pressure on public firms to provide cybersecurity visibility which should lead to a higher awareness and attention. This will likely lead to more firms elevating security and assigning an official CISO.
Learn how to hire a great CISO with our Insider’s Guide.
For many years, it has been reported by multiple sources, such as Forbes and CSO magazine, that the average tenure for a CISO is about 24 months. In our research, this is still true with the SMB market, we did not find it true with the CISOs at the F500 firms. In fact, the CISO tenure averaged just over 4.5 years. The median of the CISOs’ tenure was 3.6 years.
The average CISO tenure within the company was 8.3 years with a median of 5.3 years. We found a large portion of CISOs (38%) were promoted from within the firm. This proves that sometimes the grass is not always greener on the other side. Many loyal, long-term employees have been rewarded with an internal promotion up to the CISO level.
Note: The average and mean were calculated from the best available data sources. When there was no clear data available, those numbers were not included in the final results. Plus, many leaders are not as quick to update social media profiles which may lead to errant or outdated data. Please submit all corrections here.
There were a number of turnovers within the past 6 months (May to Nov 2023) where 27 or about 5% of the F500 companies changed CISOs. There are 10 firms that have recently had their CISO position vacated either through a release or resignation and have yet to announce a replacements. These firms are:
|491||SVB (Assets purchased by First Citizens Bank)|
Throughout the 1990s and early 2000s, security was not a sexy career choice for most women. It had a reputation of being a heavily male-dominated and ego-driven career path full of nerds. The women who survived that era were battle-scared and toughened. Very few rose to the top.
This gave rise to the purpose behind Cybersecurity DIVAS when we created it back in 2020. We wanted to honor those women who succeeded in what were often unfriendly work cultures. Our goal was to promote and normalize those successes and to create real one-on-one mentorships between these leaders and women aspiring to be like them.
2021 Fortify Experts Cybersecurity Diversity Study
With the help of Cybersecurity DIVAS and many other diversity initiatives. some progress is being made as we are getting closer to 25% of cybersecurity roles being filled by women.
However, the biggest void is the lack of diversity at the security architect level. This has traditionally been the required pathway to get to the CISO level. Since this architect role is the least diverse role in cybersecurity (less than 7% women), executive leadership have been trying to accelerate diversity by skipping over this architecture space and promoting women and minorities out of different pathways. Most often, this involves promoting someone from the GRC career pathway or general IT instead of the more technical security architecture pathway.
2021 Fortify Experts Cybersecurity Diversity Study
While many, many excellent leaders have emerged from these alternative pathways, I think it has created some weaknesses in the role. In my observations, when a publicized breach occurs, I have to admit I look for the pathway taken by the CISO and there seems to be a correlation between breaches and leaders who have come up through the GRC or general IT route and have not spent time in security architecture. It would be interesting to study this to see how strong the correlation is. Leaders with this alternative history can do an excellent job as long as they surround themselves with the right leadership team and are willing to listen to them.
In my very humble opinion, firms should be doubling down on diversifying the security architect roles to help grow a more technically-minded diverse leadership pool of candidates. In 2023, we helped several firms increase diversity in their security architecture teams.
Now, off my soapbox and back to the F500.
Our list includes pictures. This is the first list you can visually search to quickly tell the diversity or lack of diversity in each leader. When we only look at the dedicated security leaders (excluding CIOs), we find that 13.8% of them are women. This is slightly up from the 13.3% across all security leaders in the 2021 Fortify Experts Diversity Study.
There are 23 African American F500 CISOs which is 4.7% of the total CISO population but only 4 of those are African American women (0.8%). I did not dive deeper into the other minorities, because when we are engaged on a CISO diversity search, those are the two categories that clients are most interested in. For most firms interested in improving diversity numbers, Latinos, Cubans, Indians, Asians, and Veterans don’t appear to move the needle on diversity decisions.
Diversity should be seen as a strength. As a Certified Birkman Coach, we also encourage building diverse teams based on neurodiversity instead of just focusing on ethnic or gender diversity.
Many studies have proven that neurodiverse teams can be up to 33% more creative and productive. In creating a neurodiverse team, we focus more developing teams based on a mix of different core personality types such as:
- Drivers/Task Masters – People who demonstrate strong leadership skills to keep the team moving forward.
- Communicators – People with strong communicators who can sell the ideas internally and externally.
- Analytical/Process Oriented – People who look love to look for patterns and analyze data to derive solutions.
- Deep Thinking Creatives – People who are more introspective that come up with creative problem solving solutions.
Neurodiversity is more about how a person think, not what their skin color or gender is. However, it naturally leads to a more diverse team because you begin to look for people that are different than other members of the team.
Highly productive neurodiverse teams result because brainstorming, problem-solving and creativity come from a team with a wider perspective.
I do believe a diverse leadership team is important in setting the tone but, I encourage firms to not solely focus on the leadership. Instead, build from the bottom up to create a strong base that you can promote up. Again, this is the purpose of www.cybersecuritydivas.com to build a pool of talented diverse security candidates who are ready to take on the next generation of security challenges.
I hope you find this F500 CISO list useful. Help us keep it up to date here. If you are looking to hire a CISO, that is our specialty. We work with and interview CISOs every day from the F500s, to startup CISOs, to virtual CISOs. We have developed a sure-fire methodology to help you identify, assess, evaluate, and hire the very best CISO for your specific situation.
Download our free Insiders Guide to “How to Hire a CISO”.
About Tim Howard
Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as providing expert leadership advisory consulting.
He has a passion for helping CISOs develop higher-performing teams through coaching, creating topic-rich CISO Forums, and by helping them improve their careers.
He also teamed up with Lyndrel Downs to launch www.CybersecurityDIVAS.com to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the cybersecurity industry.
Tim has been leading technology staffing teams for over 20 years and has degrees from Texas A&M University in Industrial Distribution and Marketing.
Invite me to connect: www.linkedin.com/in/timhoward