Security Experts:

C-Level Execs to CISOs: No Seat for You!

Enterprise Board of Directors Room

While information security is being increasingly treated as a strategic concern, many c-suite executives appear to still not consider chief information security officers as equal partners.

In a recent survey of 203 U.S.-based CEOs, CIOs, CFOs, presidents, COOs, general counsels, chief legal officers, and chief compliance officers, nearly three-quarters, or 74 percent, said CISOs did not deserve a seat at the leadership table. About 44 percent of the executives said CISOs should be held accountable for organizational data breaches, but more than 50 percent did not believe that CISOs should be responsible for cybersecurity purchases. ThreatTrack Security commissioned the report, which was conducted by market research firm Opinion Matters in June and July. All the organizations in the survey employed either a CSO or a CISO.

“CISOs are often viewed simply as convenient scapegoats in the event of a headline-grabbing data breach, and they are significantly undervalued for the work they do every day to keep corporate data secure," said Julian Waits, Sr., president and CEO of ThreatTrack Security.

Interestingly, the scapegoating seems more prevalent among retail and healthcare companies, at 65 percent and 55 percent respectively, which are also among the most commonly targeted industry sectors.

This is also a difficult position to place the CISO—responsible for what happens to the network and data, but not having any authority to make decisions on what to invest in to protect the organization.

No Seat at the Board for CISOs

“If CISOs are not consulted by senior executives during decision-making processes, how can they be held responsible for major security breaches?" Waits said.

The senior executives aren't just dismissing the contributions of their information security peers. In some cases, they view their CISOs as adversaries. In the survey, 28 percent of executives said a decision by the CISO hurt their business' bottom line. The negative effects included lost business, decreased productivity, and impaired service levels, according to the survey.

Even though 28 percent is a minority, it raises the question of whether CISOs are truly ineffective or "is the role so demanding that it becomes impossible to please all stakeholders?" the report asked.

Even though security is becoming a board-level concern and senior executives are realizing the importance of focusing on the risks and threats facing their organizations, it is clear from the survey that CISOs face a lot of challenges in earning the respect of their peers. In fact, only 27 percent of respondents said their CISO contributed greatly to improving day-to-day security.

Only 23 percent of participants gave their CISO an A for excellence in overall performance, while 42 percent gave B for above average, and 30 percent gave C for average.

These figures may explain why many companies don't even bother to name CISOs to oversee their security strategy and initiatives. Remember that Target hired its first CISO only after its massive data breach. Sony also did not hire a CSO until after the cyberattacks against Sony PlayStation Network and Sony Online Entertainment exposed account information for millions of users back in 2011.

The report uncovered the possibility of a turf war between CISOs and CIOs. CEOs tend to have a more charitable attitude towards CISOs than CIOs. About 43 percent of CEOs gave the CISO an A, compared to just 22 percent of CIOs. CIOs were more likely to blame CISOs for data breaches, at 53 percent, compared to 52 percent of CEOs, 35 percent of COOs, and 43 percent of CFOs.

"These CIOs may have an ulterior motive: to protect their turf by deflecting blame for incidents to a lower-ranking position," the report speculated.

However, it's also worth noting that the same number of CIOs said CISOs should be "responsible and accountable for all information security strategies and cybersecurity technology purchasing decisions.”

CISOs, and the teams that work with them, should be viewed as drivers for business protection and growth, Waits said. Part of the problem may be because CISOs don't always show awareness of "organizational objectives and business needs outside of information security,” according to 68 percent of executives in the survey. More than 60 percent of the respondents believed the CISO would not be successful in a non-security-related leadership role within their organization.

Gartner recommends that CISOs “raise their visibility as enterprise strategists, aligning their efforts with overall business needs and risk requirements.” CISOs need managerial skills that emphasize collaboration and communication, Gartner said.

A recent Wisegate report found that soft skills such as communication, understanding business strategy and objectives, and risk assessment are increasingly becoming critical skills for CISOs to have. This latest survey shows that without these skills, CISOs will continue to be left out of any meaningful decision-making processes.

“The CISO’s role has become increasingly complex and demanding, yet the value of their contributions aren’t fully understood or appreciated by peers,” Waits said.

Related Reading: Getting the CISO a Seat

Related Reading: Data Breaches Can Lead to Customer Drop-Off

Related Reading: CISO Study Outlines Challenges, Successes of Security Executives

Related Reading: Many CEOs and CISOs Not Communicating on Security, Survey Finds

Related Reading: Target CEO Exit Highlights Business Side of Security

Related Reading: Are We Ready to Take These Breaches More Seriously Now?

Related Reading: How a CISO Can Be a Change Agent Within a Company

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.