Out of the shadows: CISO in the spotlight!

Failing to keep their information secure and not being compliant to regulations exposes organisations to severe operational, legal, financial and reputational risk. There are business benefits from embedding security consciousness in the organisational culture, and making it a core competency. In this survey conducted by the Collège des Professionnels de la Sécurité de l’Information (CPSI) and PwC Luxembourg, the second since 2016, we assess market practices regarding the roles and responsibilities of the Chief Information Security Officer (CISO) or Information Security Officer (ISO), and in particular:

  • Their place in the corporate hierarchy
  • How their role has evolved since 2016
  • What is involved as part of their daily work
  • Their challenges with respect to local and international regulations 

Main challenges


Less than half (42%) of CISO/ISOs manage their own budget. Of these, many (64%), although less than in 2016, think that their budget is sufficient, and most (82%) expect it to increase. Most (91%) CISO/ISOs have a say on Capital Expenditures that may be directed to buying security-related tools, but much fewer (46%) are consulted on Operating Expenses. 

Job complexity

One of the key preoccupations of CISO/ISOs is the human factor in cybersecurity. The lack of security qualified professionals, negligent employees without clearly defined responsibilities working in a complex IT environment are prone to cause a lot of damage. They often fall short when it comes to complying, and even circumvent rules and secure practices.

Companies, for their own sustainability, need to promote a security culture where everyone has the responsibility to observe and promote security practices and more importantly, to behave in a conscious way which is in alignment with the company’s information security strategy.

Key takeaways and recommendations

Better manage third party risk

Build a comprehensive inventory of your third parties, and classify them according to the various dimensions of your Enterprise Risk Management framework, including level of exposure and security risk. With that in place, define minimum security requirements to be included in each and all contracts. Develop a strategy to monitor third parties, including regular audits while concentrating your efforts on high-risk suppliers. Develop metrics to report the overall performance of your third parties.

Test, monitor and improve your security controls on a regular basis

Define a programme on how to continually improve and refine your security controls. Identify lessons learned after each incident, and put measures in place to prevent them from occurring again. Plan how frequently you will review your security controls. Draw up metrics to track changes in your security capabilities and identify areas for improvement. They need to understand the good behaviours that will make a difference. Don’t use fear but encouragement.

Management needs independent and influential CISO/ISOs

Discuss with your management that, as CISO/ISO, you need to be involved in strategic information security-related decision-making. Raise the issue of independence with your management, especially if the current configuration affects your ability to raise security concerns freely and without fear of negative consequences.

Educate your employees

Use multiple communication channels (training classes, newsletters, flyers, etc.) to educate your workforce on cybersecurity risks. Ensure that employees understand their responsibilities and obligations regarding cybersecurity (i.e. complying with security procedures, reporting anything suspicious, etc.). Take the opportunity to introduce unpredictability into these tests scenarios and be ready to discover the unknown. If you are precise in the test scenario, it means that you know what you are looking for and therefore how you can improve.

Contact us

Maxime Pallez

Cybersecurity Manager, PwC Luxembourg

Tel: +352 49 48 48 4166

Follow us