A ThreatTrack security survey of C-level executives at U.S. enterprises employing a CISO found that despite a rash of high-profile data breaches in the last year, many in the C-suite still fail to fully appreciate their CISO’s contributions and view them primarily as scapegoats in the event of a data breach.
“Last year, we were surprised that so many executives neither understood nor valued the role of their CISO, and viewed them as convenient scapegoats in the event of a headline-grabbing data breach,” said ThreatTrack President John Lyons. “This year, the data is stunning. With growing concerns about data breaches, organizations appreciate the need for cybersecurity leadership at the highest levels but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations. In some areas, CISOs have lost ground.”
47% of executives agreed their “organization should make it a priority to ensure your board of directors includes at least one member with a strong background in cybersecurity, possibly including someone who is, or has served as, a CISO at another enterprise.” 33% even said they already had at least one member who meets those requirements. However, that does not translate into increased support for CISOs. Only 25% of respondents said “CISOs deserve a seat at the table and should be part of an organization’s senior leadership team.”
The CISO’s value:
- Nearly 1 in 5 (19%) said “CISOs are primarily beneficial in that they represent an individual who is accountable for any data breaches”, 26% of CEOs and 14% of CIOs agreed
- Just half (51%) of respondents said “CISOs provide valuable guidance to senior leadership related to cybersecurity” (a decrease of 1% from 2014)
- 27% of executives (down 5% from last year) said “CISOs typically possess broad awareness of organizational objectives and business needs outside of information security”
- 41% (compared to 31% in 2014) said “CISOs are being hired to address critical gaps in organizations’ information security capabilities”.
The CISO’s role:
- Nearly half (47%) said that “CISOs should be accountable for any organizational data breach” (a 3% increase compared to 2014)
- 56% of respondents work in an organization where the CISO reports to the CIO and 41% report to the CEO
- Only 38% said “CISO should be responsible and accountable for all information security strategies and cybersecurity technology purchasing decisions” (an 8% decline compared to 2014)
- 21% (compared to 18% last year) said “CISOs should primarily be an advisor to IT and the CIO for information security strategy and cybersecurity technology purchasing decisions”.
“These results pose a real dilemma for CISOs,” continued Lyons. “If CISOs don’t have visibility into operational plans and strategy, and aren’t included in decision-making processes, how can they be held responsible for a major security issue? The need for information security is keenly appreciated, but CISOs are struggling for the recognition and authority they need to be effective in defending organizations from today’s increasingly sophisticated and frequent cyber threats.”
The CISO’s performance:
- On grading their CISOs, executives handed out far fewer A’s (10% vs. 23%) for more B’s (45% vs. 42%) and C’s (34% vs. 30%) when compared to last year
- Only 25% said “CISOs contribute greatly to improving our day-to-day information security practices” (down 2% from last year)
- Only 19% said that CISOs’ decisions have negatively impact their business, but 20% said their CISO has yet to make a decision.
The CISO’s leadership:
- On the question of CISOs’ abilities as senior leaders, this year’s study found a strong jump in perception, almost a complete reversal from last year – 62% of executives (compared to 39% last year) said their CISO would be successful taking on a leadership position outside of IT security.