Despite Small Gains, CISOs Face an Uphill Battle in the C-Suite
Source: Threat Track Security September 16, 2015
Compared to a year ago, CISOs have gained some respect in terms of perceived leadership qualities, but C-level executives still can’t shake the temptation to use the role primarily as a scapegoat for data breaches. And though cybersecurity expertise is welcome on corporate boards, CISOs still have work to do in asserting themselves within the corporate structure.
A sense of ambivalence persists in regards to the CISO role, even despite some small gains over the past year. A ThreatTrack survey of 200 C-level executives at U.S.-based enterprises employing a CISO revealed that almost half of C-level executives (47%) still view the CISO’s role primarily as a scapegoat who “should be held accountable for any organizational data breaches.” This is an uptick from the 44% who gave that answer in the same survey in 2014 . And while CISOs are widely viewed as a valuable addition to corporate boards of directors, C-level executives still have serious doubts about their CISO’s leadership abilities and understanding of business objectives outside security.
79% percent of survey participants said their board of directors already has, or should include, “at least one member with a strong background in cybersecurity, possibly including someone who is, or has served as, a CISO at another enterprise.” But when asked if CISOs “deserve a seat at the table and should be part of an organization’s leadership team,” a full three-quarters (75%) didn’t think so. That’s a negligible improvement from 2014, when 74% answered the same way.
So, clearly, participants view with very different eyes occupying a seat on a corporate board, where a cybersecurity professional can influence decisions, and holding a senior leadership position, where the person can make those decisions. It’s no wonder then that when asked to describe how they view the CISO in a leadership context, 51% described the position in advisory terms: “provide valuable guidance to senior leadership related to cybersecurity.” Only 27% said
“CISOs typically possess broad awareness of organizational objectives and business needs outside of information security.