Out of the shadows: CISOs in the spotlight!

2020 CISO’s role and responsibilities survey

The Chief Information Security Officer (CISO) position in organisations is becoming more invaluable than ever as cyber-attacks are on the rise. The recent home-based working model of most businesses and institutions, as a result of the pandemic, has even given rise to more cyber-attacks.

Organisations need to rise to the occasion to protect their crown jewels, and this responsibility lies with the CISO to drive initiatives that will protect their organisation’s information systems, raise the information security awareness of the employees and ultimately protect the company and its resources from evolving cyber risks.

In this survey, we take a closer look at the role of the CISO and more specifically at the following aspects:

  • Typical profile of a CISO;
  • The CISO’s position and reporting line in the organisation;
  • The challenges CISOs face.

Lastly, based on our experience and best practice, we offer recommendations that would improve the overall experience of the CISO/ISO function in organisations.  

The companies we surveyed

The companies we surveyed

The companies that responded to this edition of our "Out of the shadows: CISO in the spotlight" survey, are based in Luxembourg and hence, represent the Luxembourg business landscape.

A total of 45 companies participated, out of which 53% are medium sized enterprises with less than 1000 employees. The majority (42%) of the respondent companies operate in the financial services sector. Other key business sectors such as the insurance, healthcare and public sectors are equally represented.

Company size

Company Size

Business sectors

Business sectors

Key Takeaways and Recommendations

Obtain management's support by providing more adequate budget, resources and time; and ensure they place top corporate priority on Information security.

This can be done by increasing your influence through active participation in corporate committees and by setting up a direct reporting line with the management.

Align your Information Security strategy with the organisation’s strategy in order to ensure management support.

This can be achieved through the promotion of Information Security within the company by elevating it as a market differentiator place.

Establish a reporting line with the Risk management function rather than IT management line in order to ensure independence in case of impactful decisions.

This can be reached by sensitising your management on Information Security and its objection with IT interests.

Place huge focus on third party risks and suppliers’ security management. Most recent Information Security incidents come from third parties and are usually the result of a poorly managed third-party security.

Several questionnaires document points to consider while contracting with suppliers (ISAE, SOC).

Set up a strong response to (ISAE, SOC). increasing threats, especially related to social engineering and ransomware.

This can be done through employees’ awareness and training on such risks and teaching on how to react.

Ensure a long-term information security strategy aligned with market best practices.

This is usually achieved by setting up a continuous improvement programme. International Standards provide clear guidance on the path to follow.

Contact us

Koen Maris

Cybersecurity Leader, PwC Luxembourg

Tel: +352 49 48 48 2096

Maxime Pallez

Cybersecurity Manager, PwC Luxembourg

Tel: +352 49 48 48 4166

Stay Connected: