Chief information security officers (CISOs) are often the first to shoulder the blame when a security breach occurs, yet are rarely part of the management decision process when it comes to enforcing security across the IT infrastructure - at least that is what a recent survey by ThreatTrack Security indicates.
The survey indicated that nearly three quarters of the US-based 203 executives polled expressed opinions that cast doubt on the leadership abilities of CISOs. When asked whether CISOs deserve a seat at the table and should be a part of an organization's leadership team, 74% of execs said, "no."
The respondents, which included CEOs, presidents, CIOs, COOs, CFOs and those providing high-level legal counsel at companies, were polled between June and July by Opinion Matters on behalf of ThreatTrack Security, a company providing security solutions to the enterprise.
The report also indicates that executives have a preconceived notion that the CISO is often a "scapegoat," following security breaches. That opinion is backed by an astounding 44% of C-level executives, which believe that CISOs should be held accountable for "any organizational data breaches," while 54 percent said that CISOs shouldn't be responsible for cyber security purchasing decisions.
Simply put, the report indicates that many executives feel that CISOs deserve the blame for breaches, yet many of those same executives feel that CISOs should have limited influence when acquiring the technology and resources to prevent breaches. A situation that proves to be a troubling conundrum for those in the role of the CISO, which indicates that CISOs need to become more vocal in their organizations and perform more research, reporting and influence pedaling in the enterprise.
While that may turn the CISO role into something of a pariah, the simple fact is that one should not accept blame, without having the responsibility to enforce security policy and be instrumental in the security decisions made in the enterprise.
CISOs can take some solace in the perception of the CISO as scapegoat has become prevalent among retail (65%) and healthcare (55%) companies, which indicates that the majority of those executives understand that unfair blame is placed upon the role.
It is that perception that should provide some leverage to CISOs to change their roles in an enterprise organization, perhaps providing them with the ammo to become a more influential member of the management team and reporting directly to CEOs, as opposed to lower C Level executives.
Part of the problem results from C-level executives still perceive CISOs as technologists that ultimately strive to make it more difficult to conduct business by putting technology in the way of data access ease. When in fact, CISOs are looking to protect intellectual property and the organization's operations from breaches using security technology. An important distinction that CISOs need to make clear to the whole management team.
Arguably, the best tool to accomplish that comes in the form of frequent reporting, showing breach attempts prevented, security issues resolved and an overall threat landscape. Luckily, most of the security technologies on the market provide the reporting tools to make that possible, and CISOs should leverage those capabilities to keep C-level executives keenly aware of the organization's security posturing, while also keeping their role high-profile in the organization.
The survey also asked participants to grade their CISOs on their overall performance - which showed that most CISOs roles earned a "B" or "C" (72%) for their ability to prevent data breaches and prevent sophisticated cyber threats. Some 28 percent of those polled also said that decisions made by their CISO hurt the business's bottom line, indicating that either those CISOs are not performing their duties correctly, or more likely failing to inform executives of the value of decisions made to protect resources.
Either way, CISOs need to step up their game and inform executive staff of the threats placed against modern technologies and what must be done to protect those resources - something that takes due diligence, frequent reporting, and most importantly - a higher profile in the organization.
Tech Pro Research CIO report
This topic was also covered in an October 2013 report from Tech Pro Research, TechRepublic's premium content sister site. That report, The CIO as a business catalyst: Role, relevance and value, discovered that 64% of survey respondents considered the role of CIO as more relevant now than five years ago.