CISO’s Gain in C-Suite Stature, Optiv Study Shows
Nearly 60 percent of chief information security officers believe that effectively handling a security breach benefits them in the eyes of potential employers, Optiv Security’s 200 interviews with CISOs or senior security personnel in the U.S. and the U.K., showed. Make no mistake, however, this finding is anything but self-aggrandizement. It is instead a statement about the severity of the global cyber threat and the relatively newfound importance of CISO’s in an organization. The days when blame for a breach was first pointed at the CISO appear to be behind us.
Indeed, more than three-quarters of security pros consider cybersecurity so important as to become part of the C-suite career track. Optiv’s body of work, entitled The State of the CISO, asserts that no C-level position, including chief executive, has been more in flux in recent years than the CISO post. “A relatively new role in the corporate executive hierarchy, CISOs have traditionally reported to the chief information officer (CIO), because the job has been considered a largely technical one focused on security IT systems,” Optiv said.
As data breaches have reached epidemic levels and new data privacy regulations been written into law (e.g.,the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act), the CISO’s role has changed, Optiv said. “Combined with CEOs being held accountable by boards for cybersecurity issues, this has helped to elevate some CISOs to a level commensurate with CIOs and other C-level executives,” the report said. This is not an across-the-board phenomenon: While many organizations relegate CISOs to traditional technical roles, others view the post as an indispensable part of the next-generation digital transformation.
Some of the study’s findings include:
- 96% of respondents either slightly or strongly agreed that senior executives have a better understanding of cybersecurity than they did five years ago.
- 67% said their businesses prioritize cybersecurity above all other business considerations.
- 76% indicated that cybersecurity risk has become important enough to businesses that CISOs will begin to be named as CEOs.
The survey also found that a significant number of CISOs are not following best practices with cybersecurity:
- 54% of U.S. CISOs and 44% of U.K. CISOs indicated that they practice their incident response plans once a year or less. Industry best practices call for frequent incident response tests and practice.
- When CISO’s were asked: “If you could stop the business for six months and have the luxury of time to execute any security priorities, which areas would you choose to focus on,” hardly any said they would “catch up on basic functions like patching and vulnerability scanning.” This despite studies showing that vulnerabilities are often cited as the most common source of data breaches (57% of all breaches, according to the Ponemon Institute).
Nearly 90 percent of CISOs said it would be worthwhile to have a global treaty in place on cybersecurity where countries agree to a set of principals governing their conduct on the internet. Such an agreement would “establish guardrails that decrease malign behavior,” the study said.