Home / Resources / News and Trends / Newsletters / AtIsaca / 2022 / Volume 22 / The CISO Evolution

The CISO Evolution

Author: Todd Fitzgerald, CISO and Cybersecurity Leadership Author
Date Published: 1 June 2022

Let’s travel back in time a bit to 1995. Michael Jordan returned to the NBA, DVDs were invented, and—most importantly, for the purposes of this article—the first CISO was hired. At that time, many organizations had a limited security focus, primarily centered on passwords and log-in security. Over time, there have been five stages in the CISO evolution (see timeline below), each adding to the job of the CISO. We’ve come a long way in the past 27 years!

The CISO Evolution Timeline
1995-2000: First CISO hired in 1995; limited security, log-on and password focus

2000-2004: Regulatory compliance era CISOs hired

2004-2008: Risk-oriented CISOs emerge

2008-2016: Threat-aware cybersecurity social/mobile/cloud CISOs

2016-2020s: Privacy and data-aware CISOs


Source: Fitzgerald, T. 2019. CISO COMPASS: Navigating Cybersecurity Leadership Skills with Insights from Pioneers, 1st Ed, Pg. 5. CRC Press, Boca Raton, Fl.

These days, the length of a CISO job description is more like a white paper than a classified ad in the 1990s. Consider the one in the series of images below.

Get your magnifying glass for this next part—there are a lot of responsibilities!

But wait. We’re not done yet.

In a survey of Fortune 500 companies, those CISOs with graduate degrees preferred the MBA 44% of the time.

The good news is there is a payoff for all these expectations. The median salary and bonus for a CISO in a large city in the US is just over $295,000, with top salaries reaching over $410,000. Industry vertical, size of organization, geography and team size adjust these expectations higher or lower.

And the reward goes beyond the salary—CISOs and security teams played a central role in readying organizations to survive the impacts of COVID-19, ranging from hackers leveraging unsecure networks to an increase in scams. In fact, we went far beyond that and often helped our organizations thrive and establish secure practices essential to the digital transformation journey. Many CISOs are passionate about the mission to protect their organizations, families and nations from adversaries.

The evolution of CISOs has been a positive one overall. We play a central role in not just protecting the business but enabling it. We are involved in the key digital trust issues that impact our customers every day. Our job is holistic, impacting everything from systems, structure, skills, and staff to strategy and beyond.

How did you get to where you are today? Or if you’re on the path to CISO, what is your next step?