CISOs need to be forceful to gain leverage in the boardroom

Over 70% of CISOs feel that the importance of information security is not recognised by senior leadership, according to BSS.

The CISOs said their top four highest investment priorities in 2023 are change management (35%), information security resilience (34%), data security (32%), and information security assurance and testing (32%). These findings suggest a certain amount of information security maturity from organizations of all sizes, but the basics should never be underestimated, and multiple challenges are scuppering progress.

Poor attitude towards information security

Of the 150 information security decision makers surveyed, 28% of CISOs agreed that the value of their role was recognised by the board. 22% stated that they are actively involved in wider business strategy and decision making.

9% said information security is always in the top three priorities on the boardroom’s meeting agenda, identifying a worrying lack of buy-in to its importance for fundamental business operations.

Further to this, 49% agreed that there is a lack of C-level buy-in to the role of information security with 32% going as far to say that there is no C-Level buy-in at all. This poor attitude towards information security is highlighted by a notable 78% of respondents mentioning that high-profile security incidents have led to increased budget allocation and support – indicating investment for the wrong reasons.

Despite the increase in budget reported, 55% of CISOs surveyed say they are expected to spend their budget on what’s hitting the news headlines, rather than where it’s really needed. This is problematic, given that prevention, not reaction, is the key to effective information security management. The value of the CISOs input in where increased budgets are spent is not being recognised.

CISOs must keep pace with innovation

It is critical that CISOs keep pace with the degree of technological innovation alongside the evolving threat landscape. When executed effectively, change management helps organizations to plan and develop their security architectures and processes, enabling them to respond effectively to information security attack attempts.

From cloud transformation design, through to multi-person international change programmes in information security resilience and recovery, a structured process for evaluating a proposed system or service change is crucial.

With change projects requiring such a high level of organization, it’s no wonder that 37% of CISOs find it challenging to manage these projects. This pain increased further for CISOs of organizations with 500+ employees with 51% reporting difficulty in managing change projects.

But, with the correct frameworks in place, the trap of assuming the information security team will just cope with every change project can be avoided. In short, it should not be assumed that existing security resources can consume the additional effort required to support all necessary changes.

Speaking about the new research, BSS Director, Chris Wilkinson said: “CISOs need a seat at the table. Such a poor level of prioritization for information security is unacceptable in a world of evolving threats that can result in significant financial and reputational penalties.

“CISOs need to be forceful and use business impact as ammunition to give them leverage in the boardroom to receive the resources and investment they need. It’s high time CISOs are acknowledged as a vital enabler to commercial operations, with information security a part of every business decision.”