Out of the shadows: CISOs and DPOs in the spotlight!

With the active support of the Club de la Sécurité de l’Information (CLUSIL), the Commission Nationale pour la Protection des Données (CNPD), the Commission de Surveillance du Secteur Financier (CSSF), and the Institut Luxembourgeois de Régulation (ILR), we are happy to release the 2024 edition of the Out of the shadows: CISOs and DPOs in the spotlight! survey. With a larger sample and expanded sections, this latest edition aims to provide valuable insights for all public and private stakeholders on how CISOs and DPOs in Luxembourg can emerge as key players in safeguarding their organisations.

European regulations are a recurrent theme, increasingly shaping Luxembourg's cybersecurity and data protection landscape. CISOs consider the enhanced awareness of digital operational resilience among top management to be one of the Digital Operational Resilience Act (DORA)’s main contributions to cybersecurity. DPOs, on the other hand, seem to be more operations-oriented, stating that the improved level of security in their company is DORA’s main benefit. Over three-quarters of CISOs and half of DPOs expect the revised Network and Information systems Security Directive (NIS2) to bring them more regulatory compliance duties and expanded cybersecurity measures for their companies.

Download our survey

Close to a quarter of respondents were women, an improvement compared to 8% in the 2022 edition of our survey. Nevertheless, Luxembourg's cybersecurity and data privacy fields still have a long way to go in closing the gender gap.

Respondents' gender, 2022-2024

Over half of CISOs highlighted political decisions – namely, decisions taken which put individuals’ career interests ahead of the company’s interests – as a barrier to professional success. However, when compared with the last edition of the survey, internal silos and shadow IT have decreased as a barrier to the fulfilment of CISOs’ and DPOs’ responsibilities.

With over a fifth of respondents stating that their companies have been affected by a security incident at least once, cyber threats have undoubtedly become a significant concern for the Luxembourgish private and public sectors. Nonetheless, CISOs and DPOs are generally optimistic regarding how cybersecurity and data compliance have improved significantly over the last few years.

Companies should leverage digital practices to enhance efficiency, revenue, and competitiveness while preparing for future challenges. The capacity to anticipate, prepare for, respond to, recover from, and adapt to cyberattacks has become significant. These combined efforts are progressively shaping the future of CISOs and DPOs, allowing them to become more active in their organisations and ensure they are better equipped and prepared for dealing with all sorts of cyber threats.

Both CISOs and DPOs are involved in implementing artificial intelligence (AI) projects, with the former being slightly more likely to be involved from the start and receive support requests. CISOs consider threat detection, the amplification of data categories, continuous monitoring, and customised intelligence to be the main benefits of Generative AI (GenAI). On the other hand, DPOs expect GenAI to amplify the types of data available to firms, support compliance efforts, and strengthen defences.

Apart from DORA and the NIS2, well-implemented cybersecurity and data privacy regulations are crucial to prevent such incidents and ensure the security and resilience of networks and information systems. The EU has been a pioneer in this regard; surprisingly, the Data Governance Act is seen as one of the regulations impacting CISOs and DPOs the most. Nevertheless, it should be recalled that this regulation is not about data governance but a framework that will facilitate and promote voluntary data-sharing. At the same time, the Data Act structures the framework and clarifies who can create value from data and under which conditions.