Chief information security officers will become more important in companies’ hierarchies as CEOs and board members face increasing internal and external security risks that could ruin customers’ trust and business forecasts, yet C-level executives exclude CISOs from business decision-making.
A recent KPMG survey of 1,250 energy-sector CEOs from 10 shows that CISO functions will become more important to organizations over the next three years. One in six chief executive officers consider that CSOs will have more influence inside the company than chief human resources officers. CEOs also plan to take steps soon to convene multiple meetings with their cyber security team at 60 percent, and more than half will have CSOs meet with their board. Security’s arrival at board level is also confirmed by one in three CEOs who admit having met four to six times in the past 12 months with their executive team or board of directors on cyber security.
Changes will happen as IT security budgets increase in coming months and more chief information security officers believe hackers may gain the upper hand two to five years from now, requiring stronger and more innovative defensive measures. And CEOs have started to understand that, although CIOs are not entirely certain of all the methods malicious hackers use to infiltrate systems, and businesses do not want to disclose their safety measures, according to a study by RAND Corporation.
Three quarters of technology executives expect their companies to spend 1% to 5% of their revenue on IT security over the next 12 months. Security and risk management are the biggest challenges for businesses adopting mobile technologies, the cloud and the Internet of Things. As revenue is expected to increase, six out of 10 tech business leaders expect their companies to hire more employees in the next 12 months, as KPMG shows.
It will be a long journey though. C-level executives regard the role of CISO primarily as a target for finger-pointing in the event of a data breach, and have little faith that individuals in the role could hold other leadership positions, as a whitepaper by Threat Track notes.
Despite their rising profile in recent years, Chief Information Security Officers (CISOs) still face a long climb in gaining the respect of many C-level executives. There is a prevailing notion that CISOs are primarily a scapegoat for security breaches, have not earned a seat at the senior leadership table and are unlikely to succeed in a leadership role outside of information security.
A Threat Track Security survey of 203 C-level executives at U.S.-based enterprises employing a CISO revealed that 44% of C-level executives believe CISOs "should be accountable for any organizational data breaches," but 54% believe CISOs should not be responsible for cybersecurity purchasing decisions. In other words, while CISOs deserve the blame for breaches in the minds of many executives, they should have limited say in acquiring the technology and resources to prevent them.
The perception of the CISO as scapegoat is especially prevalent among retail (65%) and healthcare (55%) companies - which are among the most common targets of cyber-attacks - as well as in the legal (67%) and professional services (52%) sectors.
While enterprises are increasingly turning to CISOs to head their cybersecurity operations 74% of respondents said they do not believe that "CISOs deserve a seat at the table and should be part of an organization's leadership team." These findings presented in the whitepaper reinforce the notion that CISOs are primarily viewed as convenient scapegoats in the event of a data breach, and that their input - and by extension increasingly complex cybersecurity decisions - should not have a leading role in shaping corporate strategy.
The study found that 47% of CISOs report to their CEO or president, while 45% report to the CIO, 4% to the Chief Compliance Officer, and less than 2% to the COO or CFO. Where CISOs report to the CEO or president, the corporate structure may lend itself to a turf battle between the CISO and CIO, which could help explain why more than half of CIOs buy into the scapegoat notion.
Simultaneously, CIOs’ role in the organization is perceived more important than the CISOs by chief executive officers and board members; CEOs consider CIOs as the third most important C- level executives after COOs and CFOs, following technological development boosting all industries. “Increasingly, CMOs and CIOs are now working together to create critical platforms and systems that support customer-centric digital marketing efforts”, Deloitte Insights says in The Journal. “In addition to empowering marketing, these collaborative efforts are also laying the groundwork for an entirely new, “right-speed IT” operating model in which IT “keeps the lights on” while simultaneously working with multiple business units to pursue strategic goals and innovate. In right-speed IT, CIOs optimize their operations for speed, creativity and agility, while preserving the rigor needed to maintain and operate the traditional stack. High speed for innovation, balanced with high torque for enterprise IT.”
CISOs’ increasing role in their companies presents some challenges regarding recruiting and salaries. Companies rush to hire security experts in the wake of several high-profile cyberattacks and, as Peter Metzger from CTPartners says to The Journal, in the last six months total compensation packages for Fortune 100 companies have increased by one-third: “In some cases, big banks are paying over $1 million. Healthcare companies are paying over $1 million, big insurance companies are paying over $1 million. Total compensation is $500,000 to $600,000 in other industries.” CIOs who play a key role in CISO recruitment efforts, say it is hard to quickly find and hire top cyber talent, even with high salaries.
As the world's largest companies start recruiting CISOs for board-level roles, these professionals will become key decision makers and advisors to CEOs. Money should not be a challenge, as two thirds of CFOs make cybersecurity a high or very high priority, while 71% have increased involvement in IT in the last three years, according to a study by big four accountancy firm Ernst & Young.
CISO positions will soon reach the “best jobs of the future” list, as both the number of unique malware samples and the global market expenditures steadily increase. And there are no clues that this growth might stop in the near future. Once CISOs take the spotlight, they will have to deliver fast and meet all expectations.