Download the full report here >


Global challenges, including the cost-of-living crisis, are driving more susceptibility to bribery, increased threats from organised gangs or government-backed bad actors, deep fakes, and ChatGPT for targeted phishing. These are, on the one hand, creating intense demand for Security leaders’ skills and, on the other, creating a fiercely difficult environment in which to operate.

The shortage of cyber security professionals is an enormous threat to organisations, their business continuity, supply chains and existence. Organisations with unfilled roles are more likely to face higher costs after a breach. IBM have estimated that the United Kingdom is now the fourth costliest country for data breaches at an average of $5.05 million, up from $ 4.67 million. Germany follows closely behind, with average costs of $4.85m, France $4.34m and Italy $3.74m. Scandinavia is the lowest at $2.08m.

Savannah’s analysis of cyber security professionals1, specifically CISOs, (Chief Information Security Officers), identified that they are starting in positions younger and staying for less time. The current median tenure for CISOs is under three years. The confluence of greater pressure from senior business leaders, a more complex digital landscape, and the hydra of external threats are leading to burnout and a significant impact on mental health. All of which is exacerbated by the difficulties in hiring and retaining talent, further compounded by more CISOs resigning with no intention of returning.

An additional challenge for CISOs is their increasingly client-facing role and responsibilities, particularly in organisations that hold a significant place within broader ecosystems. Indirect cyber-attacks have increased from 44% to 61% (IBM Security), and with companies regarded only as strong as their most vulnerable link, CISOs offering assurance to external parties is a necessity. Leaders are justifiably becoming more concerned about the weaknesses in their own supply chains, and those of third-party partnerships. The nature of these challenges means that CISOs must progressively become more externally focused and adept at selling how resilient their business is to CEOs, the board and other stakeholders.

We are at a crossroads, a point at which cyber resilience has become the defining mandate of our time –beyond foundational security controls – to anticipate future threats, withstand, recover from cyberattacks and adapt to likely future digital shock.

(World Economic Forum, 2022)


With the increasing prevalence of more sophisticated cyber breaches and organisations becoming more dependent on digital technologies, cybercriminals are utilising every avenue available to exploit vulnerabilities. They are more agile than ever, quickly adapting to new technologies and tailoring them to their needs, whilst cooperating with each other to create sustained attacks. More traditional criminal gangs are now going ‘digital’, procuring the services of ‘Cyber Criminals as a Service’.

There have been instances of malicious hacks used to change share prices and Deep Fake audio and video being manipulated to make false business announcements to control financial markets.

Ransomware attacks are more frequent, causing an estimated €18 billion worth of damage in 2021 – a 57-fold increase since 2015 (EU Agency for Cybersecurity, 2021). In 2022, there was an average of 270 attacks per organisation, an increase of 31% over 2021.

Phishing attacks jumped by 61% in 2022, with an estimated 255 million attacks detected (Slash-Next). Almost 60% of the breaches across EMEA included the exploitation of human error and social engineering.

Insider threats are growing in prevalence, partly driven by the cost-of-living crisis. At the analogue end of the cyber threat spectrum, the use of stolen or compromised credentials remains the most common cause of a data breach and the longest to identify and contain, with an average of 243 days and 84 days respectively (IBM Security).

During 2020/21, with large swathes of the population shifting to remote work, there was a marked decrease in instances of malware. This trend reversed rapidly by the end of 2021, as people started returning to their offices (European Parliament).

According to Accenture’s 2021 State of Cybersecurity Resilience report, there are currently 1,900 distinct active hacking groups that employed 514 new malware strains and an estimated 100 different strains of ransomware currently active.

According to Enisa (European Union Agency for Cybersecurity), there were more Internet-of-Things (IoT) attacks in the first six months of 2022 than in the previous four years.

Quantum Computing – The standard 40bit password will be cracked in milliseconds. Security in a quantum processing world will further shift the paradigm from building Cyber Security to building Cyber Resilience.


We used Savannah Group’s proprietary AI technology, MapX, to analyse the backgrounds and pathways of over 200 CISOs. We compared established, multi-role individuals with the next generation of CISOs who had just taken their first role. Our research covered privately owned and listed large businesses across UK, US, Europe and Asia.

Unsurprisingly, noticeable differences between the two populations surfaced, no doubt because of the significant evolution of the CISO role over the last few years:

  • First time CISOs have a higher rate of emerging from a technical pathway, with Architecture, Cloud and Infrastructure being the more common gateways. Conversely, established CISOs, who have had
    multiple roles, have a greater representation from Governance, Risk and Compliance (GRC).

Multi-Role versus Next-gen CISO role backgrounds
We discovered that more established multi-role CISOs typically had experience in Risk, Strategy, and Compliance, which are historically common specialisations in financial firms, whereas the new generation of CISOs who have landed their first roles in the last three years have more technical experience in areas such as IT architecture, Cloud, and IT infrastructure.

Our Interpretation: This was particularly interesting, as we felt it indicates where Security is deemed to sit within the organisation. Sitting within Technology tends to result in a reporting line into the CIO, further up into the COO or CFO and then into the board. It is a widely held belief within the CISO community that the CISO should sit outside of Technology and report directly to the ExCo (Executive Committee). This maintains impartiality and mitigates undue pressure on the CISO to align with the CIO.

Sitting apart from Technology will also ensure that the role is somewhat protected from cost-cutting measures focused on the broader Technology teams.

  • Next generation CISOs are also getting younger. Today it takes just 19 years of experience on average before an individual steps into their first CISO role, whereas historically, this figure has been closer to 23 years.

Our Interpretation: We believe this shows that Security is now a viable career path which is allowing candidates to achieve their first role of CISO four years sooner. It can also mean there are more CISO opportunities for people, whereas before there were fewer roles and more candidates.

Since Steve Katz became the first CISO in 1995 at CITI Group, the Financial Services sector has historically dominated the demand for security talent. Our research shows that of those CISOs who have had multiple roles, 48% started their careers within Finance and Banking. This drops to 38% for those who are in their first CISO role now.

With a broader range of sectors and organisations holding more critical data and being susceptible to debilitating attacks, such as the 2017 NotPetya ransomware attack, the role of the CISO has proliferated. The largest increase in demand and growth is within Pharma and Health, where we have seen a 7% increase in CISOs beginning their careers in this area.

Many CISOs historically started their careers in Finance and Banking (48%).
They have since moved into other sectors, such as Professional Services or Pharma and Health (7% increase).


While the candidate market is more competitive, we found that most organisations still hire CISOs from outside, rather than promote them internally. Of the 431 CISO hires that were analysed in this study, an internal successor was selected in only 35% of cases. This brings into question how organisations can
build resilience and succession planning into their security teams. With 3.5 million vacancies, burnout and stress impacting those already in these critical leadership roles, how do business leaders protect the people who are protecting them?

We offer 10 considerations for ensuring your business is protected from the security leadership crisis:

1. Diagnose your organisation’s unique talent requirements. Do you have a CISO on your board? Do you know the right organisational structure of cyber skills to protect the specific requirements of your business?

2. Focus on retention, development, and succession planning. Be aware of rising salaries and ensure adequate compensation and incentives.

3. Proactively develop an active cyber talent pipeline. This will help mitigate the risks posed by losses that might occur.

4. Think about gender diversity. Currently 25% of all security leaders are women, with this expected to go up to 30% in the next few years.

5. Drive initiatives for organic growth and inclusive hiring. How are you attracting talent? Qualities attributed to certain neurodiverse groups are well suited to careers in Security, so it pays to ensure that our wording and approach are inclusive.

Read the full article here

6. Align your HR processes. This will enable rapid hiring and onboarding of talent.

7. Define urgency and timeline. What cyber skills do you need to access quickly to guard against reputational or other risks? Build relationships with external partners who can deliver quality leaders at pace.

8. Benchmark your internal succession candidates against the external market, based on the previously defined set of expertise and experience.

9. Build reporting lines for transparency and trust. Who does your CISO report to? Is this the best set up? The CISO should have direct lines of communication to the board and have built up relationships and trust.

10. Think outside the box. Consider looking at different pathways and adjacent sectors, roles and profiles for future talent. Look beyond Technology.

1 Savannah Group, using its proprietary AI technology MapX, analysed a global sample of 200 CISOs.

Notes on Study Methodology: 

  • We analysed over 200 CISOs, but we mention a sample of 431 CISO hires. This is because our sample is 219 CISOs, but that covers 431 CISO role moves (i.e. into the first CISO role or CISO to CISO role).
  • The study started on 15th February 2023 and was conducted over a period of approximately two weeks. 
Subscribe to receive actionable leadership insights to your inbox