CISOs Still Struggling for Authority, Acceptance Among Execs

Despite increased awareness of the need for cyber-security at the highest levels of corporate management, CISOs lacked decision-making authority.

cisos and it management

A recent survey found that despite a rash of high-profile data breaches in the last year, many executives fail to appreciate the CISO’s contributions.

The ThreatTrack survey, which polled 200 U.S.-based C-level executives at companies that employ CISOs, found just over half (51 percent) of respondents feel CISOs provide valuable guidance to senior leadership related to cyber- security--a decrease of 1 percent from 2014.

Around a quarter 27 percent said CISOs typically possess broad awareness of organizational objectives and business needs outside of information security—down 5 percent from last year.

In addition, nearly half (47 percent) said CISOs should be accountable for any organizational data breach--a 3 percent increase compared to 2014. Just 25 percent said CISOs contribute greatly to improving day-to-day information security practices--down 2 percent from last year.

"What we found so surprising was that there was so little change over last year. Our expectation was that with all the attention high-profile data breaches were putting on enterprise cyber- security, and all the talk about the importance of having a CISO, that executives would have been much more informed about the value of a CISO and better understand their role. But that was not the case," Stuart Itkin, senior vice president of ThreatTrack Security, told eWEEK.

Itkin noted that despite increased awareness of the need for cyber- security at the highest levels of corporate management, CISOs still lacked decision-making authority, were not included in key decision-making, and were not included in C-suite level conversations.

"Many outside of IT view cyber- security as simply a technology issue subservient to the CIO. But that is shortsighted since cyber security is a much broader issue that encompasses technology, business processes and risk management," Itkin said. "Corporate cultures need to adopt a security-centric mindset and understand the pitfalls of today's connected workforce culture."

However, he also noted CISOs also need to become better communicators and stronger players in the C-suite in order to raise their profile and better educate their C-level peers about the value they and their teams bring to the organization.

"The CISO role is only going to grow in importance. Cyber- security will be an issue for the foreseeable future, and just like any other position in the security industry, strong talent is at a premium," Itkin said. "I think we'll see strong, successful CISOs of the future gain the respect and authority they need by being business enablers for their peers, helping their organization to grow and be productive while successfully mitigating risk and implementing a new generation of cyber security solutions."