CISOs Should Report Directly to the CEO, Study Shows

Reading time: 4 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Keeping senior leadership abreast of security strengths and vulnerabilities has become a top priority, according to financial sector Chief Information Security Officers (CISOs). And direct communication with the CEO has become imperative, as strong cyber defenses require increasingly rapid decision-making.

Financial institutions across the world should buckle up for new cyber threats, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC).

In a recent study, the non-profit heard from CISOs at various financial institutions that massive concern about cybersecurity has shone the spotlight on their role. At the same time, most CISOs report to the Chief Information Officer (CIO) or the Chief Risk Officer (CRO), not the Chief Executive Officer (CEO).

Specifically, 66% of CISOs report to the CIO, CRO and COO, and only 8% to the CEO. FS-ISAC believes more CISOs should report higher up the command chain to speed up the strengthening of cyber defenses.

“Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making,” according to the report.

Similar results were found in a study by Bitdefender in 2016, when CIOs and CISOs were already feeling under pressure to keep hackers at bay.

At the time, a third of CIOs said their job was becoming more important within the company’s hierarchy, and another third said their job had been completely transformed in recent years. The same CIOs said only 64 percent of cyberattacks could be stopped, detected or prevented with then-current resources.

Another takeaway from the FS-ISAC survey is that most CISOs believe employee training should be a top priority for improving security posture in the financial sector. Other respondents give priority to different measures, such as infrastructure upgrades (25%) and breach prevention (17%).

Employee training is indeed critical – not just for financial institutions but for every organization sitting on troves of data – as evidenced by the advanced persistent threats (APTs) constantly plaguing government institutions.

However, infrastructure upgrades should be given equal importance. As some readers will remember, the WannaCry pandemic was made possible because victims were running age-old Windows XP installations. And the disastrous Equifax breach just a few months later leveraged an unpatched vulnerability in Apache Struts, even though an update was readily available at the time of the attack.

As a result of the breach, Equifax immediately fired Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. The company’s then CEO, Richard Smith, retired soon thereafter.