Do CISOs deserve a seat at the leadership table?
ThreatTrack Security published a survey study of C-level executives that underscores a hotly-debated topic in executive circles: what is the role of the CISO?
“The CISO’s role has become increasingly complex and demanding, yet the value of their contributions aren’t fully understood or appreciated by peers,” concluded ThreatTrack Security CEO Julian Waits, Sr. “Our research suggests that CISOs are often viewed simply as convenient scapegoats in the event of a headline-grabbing data breach, and they are significantly undervalued for the work they do every day to keep corporate data secure. This perception needs to change, as CISOs, and the teams that work with them, should be viewed as drivers for business protection and growth.”
Gartner believes “Enterprises should view the CISO as a business leader, and look to fill these roles with individuals who combine management skills and business knowledge with technical credibility.”
However, the study revealed that 74% of respondents do not agree that CISOs should be part of an organization’s leadership team. Nearly half (44%) of C-level executives view the primary role of the CISO as being “accountable for any organizational data breaches.”
Gartner recommends that CISOs “raise their visibility as enterprise strategists, aligning their efforts with overall business needs and risk requirements,” and that the “key skills required by a successful CISO are increasingly managerial, collaborative and communicative.”
Survey respondents say that CISOs are struggling in this regard. Asked whether “CISOs typically possess broad awareness of organizational objectives and business needs outside of information security,” two-thirds (68%) did not agree. More than a quarter of respondents (28%) said their CISO has made cybersecurity decisions that have led to negative effects on the financial health of the organization, such as lost business, decreased productivity and impaired service levels.
“These findings point to a dilemma for CISOs and their peers in the C-suite,” continued Waits. “If CISOs are not consulted by senior executives during decision-making processes, how can they be held responsible for major security breaches? CISOs serve a vital role in cybersecurity, but are struggling for the recognition and authority they need to be effective in defending organizations from today’s precarious data security dangers.”
As the prominence of CISOs rises within enterprises, the survey revealed other opportunities for CISOs to improve their perception among senior leadership. Other findings included:
- Less than half (46%) of respondents believe CISOs should be responsible for cybersecurity purchasing decisions.
- More than a third (39%) of respondents believe their CISO would be successful taking another leadership role, outside of information security, within their organization.
- About a third (27%) of respondents believe their CISO contributes greatly to improving day-to-day security.
- The perception that the role of the CISO exists primarily to take responsibility for data breaches is especially prevalent among retail (65%) and healthcare (55%) companies, which are among the most common targets of cyber-attacks.
- Asked to grade the overall performance of their CISOs, 23% of participants gave their CISO an A for excellence; 42% said B for above average; and 30% said C for average.
The independent blind survey of 203 U.S.-based C-level executives – including CEOs, Presidents, CIOs, COOs, CFOs, General Counsels, Chief Legal Officers and Chief Compliance Officers in organizations that also employ either a CSO and/or CISO was conducted by Opinion Matters on behalf of ThreatTrack Security between June and July of 2014.