Security Staff Acquisition & Development, Content, Content

Fortune 500 Faces Major CISO Challenges


Just how committed are Fortune 500 companies to prioritizing information security and customer privacy? New research by cloud access security broker (CASB) Bitglass explores those issues and more in new analysis aptly titled The Cloudfathers.

Alas, many large organizations “lack an authentic, lasting commitment” to enhancing cybersecurity, the Campbell, California-based CASB learned. Inasmuch as security breaches have cost major brands millions, prompted C-suite resignations, devalued stock prices and eroded customer confidence, it’s a bit difficult to understand how that can be. How is it that at the Fortune 500 level, there are often no clear cybersecurity leaders nor publicly-stated, non-boilerplate commitments to secure customers’ privacy and data?

Here’s what Bitglass discovered in examining publicly-available information on Fortune 500 companies.

Insufficient C-suite leadership.

  • 38 percent of the 2019 Fortune 500 do not have a chief information security officer (CISO). Of that number, only 16 percent have another executive listed as responsible for cybersecurity strategy.
  • Of the 62 percent that do have a CISO, 4 percent are listed on their company’s leadership pages.
  • 77 percent of the Fortune 500 do not indicate on their websites of who is responsible for their security strategy.
  • 52 percent of the Fortune 500 do not have a policy statement on their websites about protecting customers' and partners' data beyond what's legally mandated.

Maybe the dent isn't deep enough?

  • In the three largest breaches of publicly traded companies from each of the last three years, the mean number of individuals who had their personal information compromised by each breach was 257 million.
  • To date, these breaches have cost their companies an average of $347 million in legal fees, penalties, remediation costs, and other expenses.
  • On average, these enterprises suffered a 7.5 percent drop in stock price post-breach, leading to a mean market cap loss of $5.4 billion per company.
  • It took an average of 46 days for these companies’ stocks to return to their pre-breach prices.

Which industries take security seriously?

Most likely to list a security-leader on their website:

  • Transportation: 57%
  • Aerospace: 33%
  • Insurance: 30%

Most likely to post information on their websites about how they protect customers’ and partners’ data:

  • Aerospace: 89%
  • Finance: 72%
  • Technology: 66%

Which industries side-step on security?

Least likely to list an executive responsible for cybersecurity strategy:

  • Hospitality: 0%
  • Manufacturing: 8%
  • Telecommunications: 9%

Least likely to post information on their websites about how they protect customers’ and partners’ data:

  • Construction: 25%
  • Oil & Gas: 25%
  • Hospitality: 25%

The net net?

“Organizations everywhere have made important commitments to improve the environment, deliver transparency in their supply chains, and cultivate diverse and inclusive corporate cultures, Bitglass said. “Protecting personal data and consumer privacy should match any other area of corporate social responsibility,” the company concluded.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.