Aug. 4 — A majority of the C-suite believes chief information security officers should have all the blame and none of the authority concerning cybersecurity matters, according to a ThreatTrack Security Inc. report released July 31.
In a survey of 203 executives in U.S. companies that employ a chief security officer or chief information security officer (CISO), 43.8 percent said CISOs should be accountable for any organization data breaches.
However, 54 percent of the chief executive officers, chief information officers (CIOs), chief operating officers (COOs), chief financial officers (CFOs), general counsels, chief legal officers and chief compliance officers surveyed said CISOs shouldn't be responsible for cybersecurity purchasing decisions. And only 25.6 percent said CISOs should be part of an organization's senior leadership team.
“In other words, while CISOs deserve the blame for breaches in the minds of many executives, they should have limited say in acquiring the technology and resources to prevent them,” the report found.
The perception of the CISO as a scapegoat is especially prevalent among the retail sector (65 percent) and the healthcare sector (55 percent), which the report identified as among the most common targets of cyberattacks. This perception is also prevalent in the legal (67 percent) and professional services (52 percent) sectors.
“The sentiment in the retail sector may be explained, at least partly, by the aftermath of last year's Target data breach,” the report stated. “More than half of all respondents (51%)—indicated they did not think it was ‘fair’ for Target to fire its CEO and CIO in the wake of the high-profile data breach.”
Target Corp. reported a data breach affecting 40 million payment cards during the 2013 holiday season, and it later revealed that e-mail and other contact information on as many as 30 million customers may have been compromised. Target CEO Gregg Steinhafel announced in May that he was stepping down as chairman, president and CEO.
Although enterprises increasingly are turning to CISOs to head their cybersecurity operations, 61 percent of the executives surveyed said they didn't believe their CISO would be successful in a leadership role outside of information security.
“The CISO's role has become increasingly complex and demanding, yet the value of their contributions aren't fully understood or appreciated by peers,” ThreatTrack President Julian Waits Sr. said in a July 31 statement.
“Our research suggests that CISOs are often viewed simply as convenient scapegoats in the event of a headline-grabbing data breach, and they are significantly undervalued for the work they do every day to keep corporate data secure,” Waits said. “This perception needs to change, as CISOs, and the teams that work with them, should be viewed as drivers for business protection and growth.”
The study found that 47 percent of CISOs report to their CEO or president; 45 percent report to the CIO; 4 percent to the chief compliance officer; and less than 2 percent to the COO or CFO.
“Where CISOs report to the CEO or president, the corporate structure potentially lends itself to a turf battle between the CISO and CIO, which could help explain why more than half of CIOs buy into the scapegoat notion,” the ThreatTrack survey stated.
U.K.-based research company Opinion Matters conducted the survey between June 30 and July 21.
To contact the reporter on this story: Joyce E. Cutler in San Francisco at email@example.com
To contact the editor responsible for this story: Katie W. Johnson at firstname.lastname@example.org
The report, “Study: No Respect. CISOs Misunderstood and Underappreciated by Their C-Level Peers,” is available after registering at http://www.threattracksecurity.com/resources/the-role-of-the-ciso.aspx.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)