APAC CISOs face many common workplace challenges and have the same opportunities as other roles, but in addition, they encounter lesser-discussed gender, cultural, and geographic impacts that affect the CISO role. Today, I’m delighted to announce the publication of the inaugural Career Paths Of CISOs In Asia Pacific report. This research examines the representation, career paths, and tenure of chief information security officers (CISOs) across the APAC region, a region that is as diverse in its security practices as it is in languages, geography, and regulations as well as business and cultural norms.
My Forrester colleague Chiara Bragato and I dissected the impact of these lesser-discussed factors on the CISO persona in companies that ranked in the top 100 of their respective countries’ stock exchange indexes in Australia, Singapore, the Philippines, India, and Malaysia. This deep dive into CISOs provides a broad and deep perspective on what it means to be a CISO in geographies, genders, and cultures that are not our own. As the saying by Saint Augustine goes, “The world is a book, and those who do not travel read only one page.”
Practitioners, Technologists, And Men Dominate The APAC CISO Role
The average APAC CISO has had the job 1.6 times and first attained their position more than two decades after earning their first bachelor’s degree. Yet these highly experienced, long-standing individuals still lean toward tech. Furthermore, their long years of experience don’t always earn them a seat in the executive suite. We found that, for APAC CISOs:
- STEM degrees reign supreme. Sixty-nine percent of CISOs with a university bachelor’s degree were trained in science, technology, engineering, or mathematics (STEM). This is significantly higher in India, where all CISOs have STEM undergrad degrees. It’s significantly lower for Australian CISOs, however, where 10% earned an arts degree and 34% hold a bachelor’s in business. Only 35% of APAC CISO master’s degrees are MBAs, with the majority focusing on science and tech.
- The ‘C’ in CISO is “chief” in title only. In APAC, only 16% of companies award their CISO with additional organizational titles such as vice president or director, whereas 55% of those we examined in Fortune 500 CISO career paths hold such recognition. Often in APAC, the CISO is given the title without the organizational seniority or a seat at the executive table. Not only do execs not always want a techie at their table, but they want a leader, not a practitioner. A deeper dive into CISOs’ certifications showed an enthusiastic acquisition of certs more suited to practitioners than senior execs.
- APAC women CISOs face a tempered glass ceiling. A lack of gender representation in cybersecurity is not a new challenge. It is, however, one that needs to be urgently addressed across this region, where women accounted for only 9% of CISOs. While it’s easy to attribute this to different business and cultural expectations across geographies, inexcusable systemic issues remain. The gap widens even more in some countries. For example, only one of 30 CISOs in Malaysia and only one of 20 in India are women. Not only is it difficult for women to attain CISO roles, it’s difficult for them to stay in one. The average APAC male CISO has been in their role 34% longer than women. The tremendous efforts by industry associations such as the Australian Women in Security Network and the Women in Security Alliance Philippines, coupled with overall cultural support and policies supporting women in the workforce, may be chipping away at gender disparity — four of 19 CISOs in the Philippines are women and 15% of Australian CISOs examined are women.
APAC CISOs: Sharpen Your Main Blade
As APAC cybersecurity dynamics continue to change, CISOs need to step into a C-level seat. They’ll need to do so by broadening their skills from STEM. There’s no question about the importance of technology skills for CISOs, but they need to balance that technical acumen with financial, budgeting, staffing, and other business, leadership, and human skills to lead a modern-day cybersecurity function.
CISOs and organizations also need to hire and sponsor the next generation of women leaders and maintain toxicity-free workplaces. Not only is APAC missing out on all the benefits of diverse leadership, but the shorter tenure of women CISOs means that they have less time to execute their strategies, progress in their careers, and grow in their leadership roles. As well as this harming women’s careers, we risk losing these leaders from the industry altogether, with the much-needed cyber risk reduction intended in the execution of these strategies either lost or delayed.
Forrester clients who want to learn about how CISO career paths and expectations vary within and outside of the Asia Pacific region, as well as how they can build the leadership skills that APAC will require in the coming years, should schedule a guidance session with me.
This blog and research were created in large part due to the tireless efforts of my research associate, Chiara Bragato.