How has the convergence of cyber and physical security progressed?
Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) are often given the mission of leading the convergence of physical and digital security for their organisations. How are those in these roles coping with the challenge?
Presented as rivals by some, cohabitors by others, and a cost-saving exercise by the Chief Financial Officer (CFO), convergence of physical and digital security is not for the weak-willed. It is not a one-size-fits-all solution, and many in both disciplines have been unprepared for this union.
The Chief Security Officer (CSO) of today is a strategic thinker, tech-savvy in their business leadership, and an effective risk manager who can navigate evolving threats and organisational dynamics.
The Chief Information Security Officer (CISO) retains the same qualities whilst being the accountable person for securing the organisation’s data and technology infrastructure from cyber threats, now also managing AI integration and intrusion.
Both started their journeys without a career plan to the top, but such roles have developed to became pivotal as emerging risks are omnipresent.
A regulated landscape
The regulatory landscape provides both the CFO and CISO with the opportunity to meet an organisation’s responsibilities in the UK and, if you trade with the EU, the compliance frameworks provided by GDPR and the EU AI Act. The Network and Information Security Directive 2 (NIS2), the EU-wide legislation on cybersecurity, provides legal responsibilities for entities to enhance the overall level of cybersecurity and standardise cyber resilience in the EU.
The National Cyber Security Centre (NCSC) promotes Cyber Essentials, the UK Government-backed certification scheme aimed at mainly small or medium-sized businesses to keep data safe. The NCSC reported that in the past 12 months, there were 7.7 million cyber attacks in the UK.
The NCSC has launched CISP, a free platform for cybersecurity professionals to collaborate on cyber threat information in a secure and confidential environment. In the UK, we rely on the 1990 Computer Misuse Act to prosecute hackers and online fraudsters. The forthcoming Cyber Security and Resilience Bill, laid out in 2024, will seek to address the agility of recent attacks on the NHS, education sector, retailers and leading corporations.
What is the effect?
How are CISOs coping with increasing legal scrutiny and regulatory cyber oversight? Not well. According to recent research from the Information Systems Security Association (ISSA), over half of those surveyed claim that their job is stressful most of the time due to overwhelming workload, working with uninterested business managers, and keeping up with the security requirements of new business initiatives. A third say it is very likely or likely that they will leave their current job within 12 months. Nearly half have considered leaving cybersecurity altogether. Most claim they are frustrated because their organisation does not take cybersecurity seriously.
How is the CSO coping with increased regulation, reductions in physical budgets, and consistency of threats balanced against the boardroom’s increasing risk appetite to deliver greater shareholder and executive wealth? In general, they are frustrated with unnecessary budget withholding until a crisis response is required, such as the assassination of a corporate executive. All operate in an increasingly interconnected, matrixed, technology-driven, and polycrisis global environment.
The ISSA research indicates that due to the age demographics of CISOs, there is a higher incidence of retirement, while others will move on to become better-paid portfolio CISOs or take field CISO positions with security technology vendors.
Within Europe, tech costs for cyber and early AI adoption have created revenues of £39 billion, predicted by Statista to reach nearly £100 billion in 2030. The average global cost of a cyber attack is £4 million per incident for corporate recovery, client restitution, and cybersecurity upgrades. Over half of consumers say they distrust a company after a cyber breach.
Future leadership and remuneration
competition for qualified candidates is fierce. There is not a significant population of next-gen CISO candidates with the right C-suite experience to step up. This is where the CSO, who generally has a longer tenure in post, understands regulatory risk, adapts when needed to make strategic decisions, and delivers board presentations, is qualified to take forward cybersecurity.
This is leading to pay inflation for both the CISO and CSO role and those in their reporting lines to the Chief Information Officer / Chief Technical Officer. In smaller organisations, there is an increasing trend of cyber-focused CISO/ CSO reporting to the CEO, as this critical function takes the brunt of hostile attacks, both from state actors and organised crime.
Pay has a multitude of factors, such as being greenfield, replacing an incumbent after years, responding to a loss, shareholder pressure, start-up, break-ups, dynamics of the sector, shape, and international reach. The top pay quartile in the UK for a CISO ranges from £215,000 to £330,000, and CSO is similarly matched. Both would be awarded long-term incentives, which should double their remuneration in a 5–8-year range. Sector bonuses are usually up to 50% of pay.
Additional factors
Agentic AI refers to a type of artificial intelligence system that can act autonomously, think like a chatbot on steroids, make decisions, and pursue goals with limited human supervision. These systems exhibit agency, meaning they can understand context, interpret instructions, set goals, reason through tasks, and adapt their actions based on changing conditions. Essentially, they aim to operate more like a human employee, performing tasks and making decisions with a degree of independence.
The World Economic Forum forecasts a gain of 78 million jobs by 2030 through AI activities; in Europe the private security sector will add 500,000 roles. Security leaders will evolve with a duality of experience that will be required to protect their organisations.
Human expertise, collaboration, board- room trust and continuous adaptation to evolving threats will remain essential components of effective security strategies.
Peter French MBE CPP
CEO SSR® Personnel
