Few infosec leaders have a direct voice to the C-suite, says a new study, which it argues, makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization.
The global study from LogRhythm conducted by the Ponemon Institute showed on average respondents were three levels away from the CEO. Most often they reported to the CIO (24 per cent), the director of IT (19 per cent), the CTO (12 per cent) or the VP of technology (11 per cent). Only seven per cent reported directly to the CEO.
Furthermore, only 37 per cent of respondents said they or someone in their security function reports directly to the board of directors.
Only 43 per cent either strongly agreed or agreed their organization values and effectively leverages the expertise of the cybersecurity leader. Only 46 per cent strongly agreed or agreed senior leadership in their organization has confidence that the cybersecurity
leader understands the business goals.
Sixty per cent of respondents strongly agreed or agreed that a cybersecurity leader should report directly to the CEO because it would create greater awareness of security issues throughout the organization.
The Ponemon Institute surveyed 1,426 cybersecurity professionals in the United States, Europe, Middle East, Asia and Asia-Pacific. Most held the title of Chief Information Security Officer (17 per cent), security manager (15 per cent), Chief Information Officer (12 per cent), Chief Technology Officer (11 per cent) and security director (11 per cent).
Forty-one per cent of respondents said they brief the board only when a security incident occurs. Thirty per cent say reporting occurs quarterly. Only 29 per cent of respondents say they have a committee dedicated to cybersecurity threats and issues facing the organization. If they do have such a committee, only 43 per cent of respondents say someone from the cybersecurity function is a member of the committee.
“While security leaders are assuming more responsibility than ever before, they lack the necessary organizational visibility and influence to effectively build and mature their security programs,” James Carder, chief security officer of LogRhythm, said on the release of the report. “Comprehensive cybersecurity programs are integral to the success of an organization. This research should spur CEOs to take accountability for safeguarding their organization’s sensitive information, prioritize the security program by elevating the security leader and ensure inroads between security decision-makers, the C-suite and the board.”
If possible IT leaders should be persistent in scheduling meetings with the C-suite and board of directors, the author of the report says. Include in these presentations the financial, regulatory and reputational quantifiable and qualitative consequences of a security incident.
If there are security risks that are not being addressed, provide recommendations and concrete actions that the CEO and board can approve or disapprove, it adds.