CISOs Have Limited Corporate Influence, Accenture Reports

An Accenture study reveals that chief information security officers are lacking authority and visibility to effect change within their organizations.

Accenture CISO Report

Chief information security officers are responsible for developing and establishing cyber-security strategies and policies with their organizations. Yet, according to a new study from Accenture Security, many organizations don't give their CISOs the resources they need and few CISOs have the required influence within enterprises to effect change.

The Securing the Future Enterprise Study Today-2018 report was released on July 10 and is based on a survey of 1,460 C-level executives. Among the highlights of the 36-page report is that 73 percent of respondents agree that cyber-security staff and activities need to be dispersed throughout an enterprise, yet 74 percent noted that cyber-security today is largely a centralized activity.

"The biggest surprise in our survey was the fact that fewer than one-third of CISOs and business leaders collaborate on a cyber-security plan and budget," Ryan LaSalle, managing director, North America Lead, at Accenture Security, told eWEEK.

The study also found that only 40 percent of CISOs say they always confer with business-unit leaders to understand the business before proposing a security approach, he added.

"This tells us that that better alignment is needed earlier in the process between the C-suite and CISOs to reduce future cyber-risks," LaSalle said. "It's a two-way street, of course, so as CISOs convey key cyber-risks in more business-relevant terms, they become more valuable to business leaders and more effective at guiding decision making."

Influence

Of particular note, the study also found that CISOs have limited capabilities to influence business units across their organizations. CISOs’ lack of organizational influence is due to many factors, including a lack of understanding of cyber-risks among business executives and sometimes a failure by CISOs to take the initiative to collaborate, according to LaSalle.  

"For example, only 38 percent of business leaders bring the CISO into all discussions at the beginning stage of considering new business opportunities, so you cannot influence where you are not aware," he said. "Additionally, enterprise security professionals often only have responsibility for defending enterprise IT, while the attackers and the business owners are engaged across many points of the company's value chain."

LaSalle added that Accenture's research found that most respondents agreed with the idea that some kind of high-level role is needed to be a bridge between security and business units. He said that if CISOs cannot continue to evolve their roles and relationships, they will not be able to have the impact their business needs. 

Cloud Computing

One of the areas identified in the Accenture report as being a gap in cyber-security is cloud computing. Seventy-four percent of survey respondents noted that cloud services raise organizational cyber-risk, yet only 44 percent said that cloud technology is protected by their existing cyber-security strategy.

"While many security organizations have established cloud security and cloud governance programs, the gap is most likely attributed to business adoption moving more rapidly and across more dimensions than security can sustain," LaSalle said. "Cloud providers have significant security capabilities that can be deployed at the enterprise's discretion, but nearly half of CISOs acknowledge that their responsibilities for securing the organization are growing faster than their ability to address security issues. Hence the gap."

Helping CISOs 

LaSalle said that Accenture's research shows that CISOs are well-established in large companies yet few have the authority and visibility they need to influence business units and build cyber-resilience into their strategy. 

"For CISOs to function as sought-after collaborators and trusted partners, they need to work closely with business units to protect and enable the growth initiatives envisioned by top leadership," he said. "Cyber-security is everyone's responsibility, and companies must also spread knowledge among all level of employees by implementing regular awareness training tailored to individuals' roles."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.