The chief information security officer may be a C-level position without C-level power, according to a white paper released Tuesday by anti-malware company ThreatTrack.
In the report, titled “CISO Role Still in Flux,” only 25 percent of the 200 enterprise executives surveyed across the U.S. said “CISOs contribute greatly to improving day-to-day security practices,” while 47 percent “view the CISO’s role primarily as a scapegoat who ‘should be held accountable for any organizational data breaches.’”
The issue has taken on a new importance in recent months as a string of high-profile hacks have rocked the nation’s faith in enterprise cybersecurity, including the OPM hacks that compromised the data of 22 million Americans.
CISO scrutiny may come unfairly in some cases, the report argues. While cybersecurity seems welcome enough in boardrooms, it is accepted in an “advisory” role rather than a “leadership” one. Without the power to enforce reforms as opposed to recommending them, CISOs can be paralyzed in their ability to do their jobs.
A staggering three-quarters of C-level executives surveyed — 150 CEOs, chief financial officers, chief operating officers and chief information officers from across enterprise — agreed that CISOs do not “deserve a seat at the table,” and that they should not “be part of an organization’s leadership team.” Only 27 percent of survey responders agreed that “CISOs typically possess broad awareness of organizational objectives and business needs outside of information security.”
Surprisingly, it appears that CISOs’ largest opponents are their colleagues on the IT side of enterprise. In the survey, only 17 percent of CIOs said that CISOs “deserve a seat at the table,” while 37 percent of CEOs expressed the same support. ThreatTrack speculates that this may be the product of hierarchical ambiguity between CISOs and CIOs; 55.5 percent of enterprise CISOs reportedly answer to a CIO, while 40.5 percent report directly to their CEO. In many instances, it becomes unclear who maintains control over key aspects of enterprise IT systems.
Another factor in CIO-CISO clashing is the recent trend of financiers being hired into CIO positions, the result of a general industry shift toward using data analytics to make business decisions. When CIOs do not come from a strictly technical background, argues the report, it is easy to see why security measures might seem like an obstacle rather than an asset.
The solution, the report says, is the creation of an independent cybersecurity division.
“[W]hile the CISO may seem a natural fit for the CIO’s organization, an argument can be made that cybersecurity needs to become its own entity. As such the CISO … should have a direct line to the chief executive and the board because fighting cybersecurity threats is a critical corporate responsibility that if mishandled, can have dire consequences for the organization,” says the report, which exclusively surveyed private sector executives.
Though an industrywide shift may not come in the near future, the report encourages CISOs to stand their ground, or risk becoming obsolete.
“CISOs need to assert themselves in the corporate structure and do a better job of communicating their decisions and accomplishments throughout the organization,” it says. “If they can’t do this effectively, they stand little chance of ever being regarded as little more than a convenient scapegoat for data breaches.”