The Fortune 100 list is a prestigious ranking that showcases the largest and most influential companies in the United States. While the list has undergone changes over the years, there is one aspect that remains relatively constant: the absence of security professionals in top executive positions within these companies.
In a recent analysis conducted by KrebsOnSecurity, it was revealed that only five out of the Fortune 100 companies currently list a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) within their executive leadership pages on their websites. This number has remained largely unchanged since 2018 when a similar analysis was conducted.
The five companies that do include a security professional in their highest ranks are BestBuy, Cigna, Coca-Cola, Disney, and Walmart. While this may seem like a small number, it is worth noting that these companies prioritize the importance of customer security and privacy by dedicating a top-level position to security.
Furthermore, the analysis found that one-third of last year’s Fortune 100 companies had a Chief Technology Officer (CTO), indicating the recognition of the importance of technology in their organizations. Additionally, 40 companies listed Chief Information Officer (CIO) roles, while only 21 included a Chief Risk Officer (CRO). It is interesting to observe which executive positions are deemed significant by these top companies.
However, it is crucial to note that the absence of security professionals in top executive positions does not necessarily mean that these companies do not have individuals fulfilling these roles. In fact, a review of LinkedIn profiles suggests that most Fortune 100 companies do have people in CISO or CSO roles. Experts also suggest that larger multinational companies may have multiple individuals in these positions.
The discrepancy lies in the fact that these security professionals are not featured in the executive leadership pages of company websites. This raises questions about the level of importance attributed to cybersecurity and risk management within these organizations. Despite the critical link between data breaches and the impact on marketing and human resources, more companies choose not to highlight their chief security personnel in their top ranks.
One possible explanation for this omission is that security leaders do not report directly to the CEO, board of directors, or Chief Risk Officer. Instead, they often report to technical executives such as the CTO or CIO. This unequal reporting structure can lead to a situation where cybersecurity and risk concerns are overshadowed by initiatives aimed at increasing productivity and business growth.
Tari Schreider, an analyst with Datos Insights, emphasizes the importance of separation of duties in security. He highlights that when CISOs or CSOs report to technology heads, this critical separation is violated. This violation can compromise the prioritization and implementation of effective cybersecurity measures within organizations.
A survey conducted by IANS, an organization focused on CISOs/CSOs and their teams, further supports these findings. The survey, which included over 500 organizations, revealed that approximately 65 percent of CISOs still report to a technical leader, such as the CTO or CIO. Of this workforce, 46 percent reported to a CIO, while 15 percent reported directly to a CTO.
Schreider also notes that the lack of legal and insurance protections available to security leaders contributes to their absence from top executive ranks. Larger companies often purchase Directors and Officers liability policies to cover legal expenses in case their executives face legal challenges related to business failings. However, security leaders who do not enjoy these protections are less likely to be listed among the highest ranks of the organization.
The consequences of this omission are significant. When cybersecurity incidents occur, CISOs and CSOs often bear the responsibility without the accompanying legal support. This puts them at risk of becoming scapegoats for organizational failures in the face of hacks or data breaches.
Additionally, a survey conducted by Accenture earlier this year revealed that only one-third of organizations surveyed had integrated security into every aspect of their businesses. This integration includes having CISOs or CSOs reporting to individuals responsible for overseeing enterprise risk as a whole. The survey also indicated that cybersecurity risk was not considered to a great extent when evaluating overall enterprise risk.
These findings illustrate the need for organizations to prioritize cybersecurity and risk management at the highest levels. By including security professionals in top executive ranks, companies can demonstrate their commitment to protecting customer data and mitigating potential risks.