Chief Information Security Officers Viewed as Scapegoats in C-Suite Survey

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Joyce E. Cutler  

Aug. 4 — A majority of the C-suite believes chief information security officers should have all the blame and none of the authority concerning cybersecurity matters, according to a ThreatTrack Security Inc. report released July 31.

In a survey of 203 executives in U.S. companies that employ a chief security officer or chief information security officer (CISO), 43.8 percent said CISOs should be accountable for any organization data breaches.

However, 54 percent of the chief executive officers, chief information officers (CIOs), chief operating officers (COOs), chief financial officers (CFOs), general counsels, chief legal officers and chief compliance officers surveyed said CISOs shouldn't be responsible for cybersecurity purchasing decisions. And only 25.6 percent said CISOs should be part of an organization's senior leadership team.

“In other words, while CISOs deserve the blame for breaches in the minds of many executives, they should have limited say in acquiring the technology and resources to prevent them,” the report found.

Retail, Health-Care Sectors

The perception of the CISO as a scapegoat is especially prevalent among the retail sector (65 percent) and the healthcare sector (55 percent), which the report identified as among the most common targets of cyberattacks. This perception is also prevalent in the legal (67 percent) and professional services (52 percent) sectors.

“The sentiment in the retail sector may be explained, at least partly, by the aftermath of last year's Target data breach,” the report stated. “More than half of all respondents (51%)—indicated they did not think it was ‘fair’ for Target to fire its CEO and CIO in the wake of the high-profile data breach.”

Target Corp. reported a data breach affecting 40 million payment cards during the 2013 holiday season, and it later revealed that e-mail and other contact information on as many as 30 million customers may have been compromised. Target CEO Gregg Steinhafel announced in May that he was stepping down as chairman, president and CEO.

Demanding Role

Although enterprises increasingly are turning to CISOs to head their cybersecurity operations, 61 percent of the executives surveyed said they didn't believe their CISO would be successful in a leadership role outside of information security.

“The CISO's role has become increasingly complex and demanding, yet the value of their contributions aren't fully understood or appreciated by peers,” ThreatTrack President Julian Waits Sr. said in a July 31 statement.

“Our research suggests that CISOs are often viewed simply as convenient scapegoats in the event of a headline-grabbing data breach, and they are significantly undervalued for the work they do every day to keep corporate data secure,” Waits said. “This perception needs to change, as CISOs, and the teams that work with them, should be viewed as drivers for business protection and growth.”

The study found that 47 percent of CISOs report to their CEO or president; 45 percent report to the CIO; 4 percent to the chief compliance officer; and less than 2 percent to the COO or CFO.

“Where CISOs report to the CEO or president, the corporate structure potentially lends itself to a turf battle between the CISO and CIO, which could help explain why more than half of CIOs buy into the scapegoat notion,” the ThreatTrack survey stated.

U.K.-based research company Opinion Matters conducted the survey between June 30 and July 21.

To contact the reporter on this story: Joyce E. Cutler in San Francisco at jcutler@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

The report, “Study: No Respect. CISOs Misunderstood and Underappreciated by Their C-Level Peers,” is available after registering at http://www.threattracksecurity.com/resources/the-role-of-the-ciso.aspx.