A recent report has revealed that only five out of the Fortune 100 companies include their head of security in their top management listings. This raises questions about the power and influence of Chief Information Security Officers (CISOs) within organizations, and whether they have the authority to intervene when a line-of-business executive takes a risky action. Furthermore, it brings into focus the level of support CISOs receive from CEOs and other executives.
The fears and concerns surrounding the role of CISOs were vividly captured in a LinkedIn discussion initiated by Derek Andrews, the director of cybersecurity operations and incident response for a large nonprofit organization. Andrews expressed his belief that the role of the CISO is often one of being a scapegoat, rather than a true decision-maker in the executive circle. According to Andrews, the security sell needs to go through three layers of approval before it is given organizational backing. By the time it reaches this point, it has often been diluted to focus on mundane tasks like phishing training.
Andrews raised a key question: why do enterprises allow individual business units to make decisions on risky actions, rather than entrusting this responsibility to the CISO? He noted that no organization permits each business unit to run its own network, so why should they allow marketing or other departments to accept cyber risks that can impact the entire organization? Andrews argued that accountability for accepting cyber risks should lie with the business units, rather than the CISO who often takes the blame.
The lack of power given to CISOs compared to other C-level executives raises concerns about the efficacy of enterprise cybersecurity strategies. It can lead to a climate where CISOs hesitate to exercise their authority, fearing that they will be overridden by other executives and pressured into approving actions they know to be risky.
Barak Engel, CEO of the security firm EAmmune and author of “Why CISOs Fail,” suggests that part of the problem lies in market forces. When companies experience major security breaches, their stock prices may dip temporarily, but they usually recover quickly. This has led CEOs to question the long-term impact of security breaches and perceive security as a lower priority, even though CISOs emphasize the potential risks. Engel argues that CISOs need to communicate the importance of cybersecurity in business terms that CEOs can understand, rather than relying on scary stories.
Another challenge stems from the relatively new nature of cybersecurity on the CEO’s strategic plate. While Fortune 500 companies have a deep understanding of and comfort with risks in areas such as legal, financial, HR, and compliance, cybersecurity risk is often seen as complex and difficult to grasp. Dirk Hodgson, director of cybersecurity for NTT Australia, believes that there is a fundamental difference in expectations between cybersecurity and other business units. Until this gap is bridged, CISOs may struggle to gain the respect and authority they require.
Oliver Tavakoli, CTO of Vectra AI, notes that cybersecurity is often only addressed when a crisis occurs, making it challenging for CISOs to develop a rapport with other executives under normal circumstances. He suggests that CISOs need to be seen as valuable contributors, rather than just heroes to other CISOs.
For Brian Walker, CEO of cybersecurity consulting firm the Cap Group, the key to CISOs having authority lies in the support they receive from their superiors. If the CISO has the authority but lacks backing from their boss, their power is undermined.
In conclusion, the limited power and influence of CISOs within top management can undermine enterprise cybersecurity strategies and contribute to a less secure environment. Changing this situation requires effective communication from CISOs, a better understanding of cybersecurity risks by CEOs, and the support and backing of CISOs by their superiors. Only by addressing these challenges can organizations truly prioritize and implement effective cybersecurity measures.