What do we need to know about the Chief Information Security Officer? A literature review and research agenda

Abstract

Since its establishment in the 1990s, the role of chief information security officer (CISO) has become critical to organizations in managing cybersecurity risks. However, despite widespread recognition of the importance of this role in industry, research about CISOs and the problems they face in protecting organizations is nascent. We review the academic and practitioner literature on CISOs to identify existing themes and highlight a range of challenges related to CISOs in which further research is needed, such as establishing legitimacy within C-suite executive teams, appropriate accountability for cybersecurity incidents, CISO turnover, and promoting security in the face of human factors, business realities, and budget constraints. We also propose a research agenda to address these challenges using potential theoretical lenses. In these ways, this study lays the groundwork for future research on CISOs and their essential role in ensuring the cybersecurity of organizations.