Even after a year of debilitating data breaches and an increased focus on information security, chief information security officers are still trying to be taken seriously and to get a seat at the executive table, a new report has found. And in some cases, CISOs have lost ground.
CISOs are frequently fired after a data breach. In the second annual Role of the CISO report by ThreatTack Security, nearly half of CEOs and other C-level executives in the United States who participated in the survey said CISOs should be held accountable if—when—a data breach occurs. However, just 38 percent advocated letting CISOs handle purchasing purchases and heading up security strategy. This is a decline from last year, where 46 percent were comfortable giving some authority to the CISO.
Instead, senior management viewed CISOs as primarily an advisor to the IT organization and the CIO for information security strategy and security technology purchasing decisions, the report found. This perception is stronger this year, as the figure increased slightly to 21 percent this year, compared to 18 percent last year. The CEO appears to be thinking of the CISO as just another IT director.
“With growing concerns about data breaches, organizations appreciate the need for cybersecurity leadership at the highest levels but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations,” said ThreatTrack president John Lyons.
It seems to be an unfair scenario for the CISO, as his or her job is on the line after a data breach, even if he or she had no authority to make changes or implement necessary plans.
The survey included 200 United States-based C-level executives in organizations that had either a CISO or a CSO. Job titles included CEOs, Presidents, CIOs, COOs, CFOs, General Counsels, Chief Legal Officers, and Chief Compliance Officers.
The senior executives weren’t downplaying the CISO’s role as a result of not understanding the importance of security. Nearly half of the respondents considered it a priority to ensure the Board of Directors included as least one member with a strong information security background, possibly a CISO at another organization, the report found. About a third said they already had at least one member filling that role.
Accepting IT security as an important strategic goal doesn’t translate to increased report for CISOs, though, as only 25 percent of the respondents said CISOs deserve a seat at the table with the rest of the senior leadership team. In fact, 26 percent of the CEOs and 14 percent of CIOs said the primary benefit of having a CISO was to have someone accountable for data breaches. The buck still stops on the CISO’s desk. If a breach happens, it’s the CISO’s job on the line, as has been seen with recent breaches.
Half of the respondents said CISOs provide valuable security guidance to senior leadership and 41 percent of respondents said the CISO was necessary to address critical gaps in their information security capabilities, the survey found. But someone else still controlled the purse. More than half of the respondents worked in organizations where the CISO reported to the CIO, and 41 percent in organizations where the CISO reported to the CEO.
“If CISOs don’t have visibility into operational plans and strategy, and aren’t included in decision-making processes, how can they be held responsible for a major security issue?” Lyons said.
Senior management does not see the CISO as an equal partner because security decisions aren’t aligned with business goals. Only a quarter of the respondents said CISOs contribute greatly to improving day-to-day information security practices. Just 10 percent of the respondents gave the CISO a grade of an “A” for their performance, a significant drop from last year’s 23 percent. About 45 percent gave their CISO a “B” and 34 percent a “C.” CISOs in retail, financial services, and healthcare received the worst grades.
The job of the chief information security officer is not an easy one, and it doesn’t help if the role doesn’t come with professional respect or authority over strategy and purchases. And there is plenty of blame to go around.
The CISO may not be having a positive impact, but at least for some organizations, it’s not a negative one, either. Only 19 percent said CISO decisions negatively impacted their business. Even more telling is the perception among 20 percent of the respondents that their CISO had yet to make a decision, the report found.
It’s increasingly clear that CISOs need to understand business objectives and to align security with business goals in order to be effective. It’s not there yet. Only a quarter of executives said CISOs possess broad awareness of organizational objectives and business needs outside of information security.
The executives aren’t questioning the CISO’s leadership abilities, as 62 percent of executives in the survey said their CISO would be successful in a leadership position outside of IT security. In fact, 57 percent of CEOs and 50 percent of CIOs felt their CISO would be more effective as a non-IT security leader.
The full report is available online in PDF format.
Related: Why CISOs Need a Security Manifesto
Related: How a CISO Can Be a Change Agent Within a Company
Related: IBM CISO Study Outlines Challenges, Successes of Security Executives