In December last year, the Wall Street Journal ran an article How CISOs can wield more power in organisations. The article was based on a detailed field study that pointed to CISOs being somehow seen as the lesser of the “Chiefs”. It seems they played a marginal role when it came to strategic decision making, despite the increasingly digital nature of most organisations and the significant growth in cyber-threats.
The role of CISO is still a relatively new one within the executive, arriving for the first time in the mid-90s. In the interim, it could be argued that a lack of understanding of the role, rather than a lack of credibility, has led to a disconnect between the technical and non-technical seats at the table. This may be further complicated by the naturally risk-averse nature of CISOs, as they are often seen as a barrier to growth, or a hurdle to be negotiated.
However, with the continued threat of cyberattack and the evolving state of cybersecurity legislation around the world, the CISO is becoming an increasingly important figure. Across many industry sectors, the role is now recognised as a core component of cybersecurity governance. In the same way that the GDPR and other data governance legislation demands the naming of a data protection officer (DPO) for public companies, we are now seeing regulations emerge that call for the same level of transparency concerning CISOs. For example, the Securities and Exchange Commission (an agency within the US government) announced rules last year that would require public companies to state whether they had a CISO, to whom they reported and how often they met with the wider board.
The article cites research from the Ponemon Institute that indicates half (51%) of security executives feel they lack executive support and a similar number (53%) feel that senior leadership still doesn’t understand their role. These are worrying numbers when put into the broader context of the cyberthreat landscape and one must wonder if this is a symptom, or the result of, the apparent apathy of some businesses towards data security.
In the WSJ article, the authors suggest ways in which CISOs can get greater mindshare or respect within the boardroom, advocating for proactivity and purposefulness, but there is also a burden of responsibility that sits with board members and the c-suite to take cybersecurity more seriously. After all, in a digitally connected organisation it’s not just your data that needs protecting, but that of businesses and individuals up and down the supply chain – from customers to suppliers.
One of the biggest challenges facing CISOs is getting the rest of the executive to understand that cybersecurity is everyone’s responsibility, not the exclusive domain of the “technical department”. Of course, as the role of data security becomes more integral to day-to-day operations, the stakes get higher. Nowhere is this more evident than the recent prosecution of former Uber CSO John Sullivan, who was found guilty of covering up Uber’s 2016 breach.
The changing face of data protection regulation across the globe has shone a light on the data breach crisis facing businesses of all types. Finance, healthcare and government sectors continue to be hit hard, but nobody is safe. In its 2022 data breach report, IBM reported that for 83% of businesses surveyed it was not a matter of if, but when a breach would occur. Why then do organisations still struggle to recognise the importance of the CISO?