Page 37 - index
P. 37
%" . ./-0$$(" #+- -".," / &* /%" "*/"-,-&."
Within the past year, the role of Chief Information Security Officer (CISO) has become
increasingly visible in the enterprise. The position has evolved from a high-level IT administrator
into a C-level executive, one who has been under constant pressure. The cause for the
heightened visibility is unfortunately all too easy to identify – since the Target breach, media
coverage of data breaches has intensified, bringing cybersecurity into the public eye. Not a
week goes by without a high-profile breach in the headlines, and it is creating speculation in the
press and beyond about what enterprises and governments are doing to fight cybercrime.
In the past year, boards have appointed CISOs as a way to quell cybersecurity fears. But, these
newly minted members of the C-Suite have not been properly empowered, oftentimes given
limited decision-making authority and no power over the purse strings. Recently, we partnered
with Opinion Matters to conduct a survey of 203 C-level executives across the country in a
variety of vertical markets to better understand how they view the role of the CISO. The results
demonstrated that the rest of the executive team believes that CISOs should be held at arm’s
length, with 74 percent responding that CISOs did not deserve a seat at the table and should
not be part of an organization’s leadership team. Additionally, 44 percent of C-level executives
said that CISOs “should be accountable for any organizational data breaches,” essentially
serving as a scapegoat should a breach occur. Surprisingly, just 27 percent actually believe
their CISO contributes greatly to improving day-to-day security.
The overall response to the survey indicates that CISOs are held in little regard by their peers.
But, the survey also shows that in many cases, CISOs have not been put into position to
succeed. Without the power to make strategic or spending decisions, CISOs are unable to make
an impact on cybersecurity within their organizations. There is also confusion as to whom the
CISO should report to, with different organizational structures placing them under the CEO,
CIO, or even CFO. With the role of the CISO so undefined, it is easy to see why many
executives are skeptical – they likely do not understand what the CISO is there to accomplish.
When CISOs are given the proper authority, they still have to manage a delicate relationship
between cybersecurity policy and the needs of the business. Leadership realizes that in the age
of data breaches they can no longer afford to pay lip service to security issues. But, if good
cybersecurity practice were to get in the way of a business function, it is doubtful that CISOs
would be able to convince their C-Suite peers to take action. Further, it is unclear whether
enterprises are willing to do whatever it takes to protect their data – or their customer’s – if it has
an effect on the bottom line.
The CISOs seat at the table won’t be earned easily; it will be hard fought, with change needing
to come on both sides. One of the first steps CISOs can take to rectify this problem is to
become more involved in business functions, and to gain a better understanding of business
objectives and goals. More than two-thirds of executives surveyed thought that CISOs didn’t
possess awareness of organizational goals beyond cybersecurity, and that may explain why
they are skeptical of CISO demands. By developing a deeper understanding of organizational
goals, the CISO gains credibility and is able to build relationships with other department heads.
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
