The chief information security officer role hasn’t always gotten the respect it deserves. Research over the years has shown companies often treat their CISO primarily as a scapegoat for security incidents.
But that may be changing – at least it is in organizations with a strong cybersecurity culture. New research by (ISC)2 shows the overwhelming majority of companies that properly staff their cybersecurity teams employ a CISO.
The Building a Resilient Cybersecurity Culture study revealed that 86% of organizations that consider themselves adequately staffed with cybersecurity talent have a CISO. This is a substantially higher percentage than the 49% of companies overall with a CISO, according to other research.
The finding points to the likelihood that a CISO contributes to a better cybersecurity posture. The organizations in the study were selected for their cybersecurity credentials. These companies are doing something right; the point was to find out what that is.
Hiring a CISO is part of it. Companies that have one, and give the position the proper level of authority, recognize they need someone in the organization with a deep understanding of security risks and how to mitigate them.
If used properly, the position is in charge of developing the cybersecurity strategy, which includes making technology investments, hiring the right people for the cybersecurity team and ensuring team members’ skills are updated regularly to keep up with new and evolving threats. Making the right decisions in these areas can help stop a cyber attack, saving a company millions of dollars in monetary costs and reputation.
While traditionally cybersecurity has been handled by the CIO and IT teams – which remains the case in many instances – cybersecurity has evolved into its own discipline, requiring skills and experience generalist IT professionals may not possess.
Another indicator of how seriously companies take their CISO is where the position fits in the management hierarchy. While a case can be made that the CISO should report to the CIO, the CIO has many other responsibilities and, as a result, may not give cybersecurity the priority it requires.
More than half of participants (57%) in the (ISC)2 study say their CISO reports to either the CEO or Board of Directors. The prevalent trend is for CISOs to report to the CIO, COO or another executive. A study in early 2018 revealed only 8% reported to the CEO.
The (ISC)2 finding on reporting structure is further evidence that CISOs need to be higher up in the management structure to be effective. Judging by the study’s results, a company that employs a CISO and has the position reporting directly to the CEO or directors is better prepared to face the dangers lurking in cyberspace.