In a world of highly visible and catastrophic data security breaches, we would expect that corporate chief information security officers (CISOs) would be valued and respected in their organizations. A recent survey conducted by ThreatTrack Security suggests, however, that this is not the case. ThreatTrack Security surveyed 200 senior corporate executives, asking them about the role of the CISO and data security in their organizations. Despite the virtually daily reports of severe data security challenges threatening the profitability and, at times, the survival of organizations, CISOs seem to remain misunderstood and undervalued in most enterprises. This continuing failure to make effective use of CISOs carries important potential legal liability for all of the organizations involved.
The ThreatTrack survey indicates that the vast majority of organizations view data security to be a significant enough issue that it merits attention at the corporate board of directors level. Those organizations recognize the need to have data security expertise represented on their boards of directors. Yet despite their recognition of the importance of data security issues, three-quarters of the survey respondents do not view CISOs as members of the senior executive team. Instead, they characterize CISOs as advisors to senior executives.
This distinction between advisor and senior executive team member seems to hinge upon the issue of decision-making authority. A majority of corporate executive seems to value the input and advice provided by CISOs, however, they choose not to grant effective decision-making authority to those officers. Most corporate executives now apparently value the knowledge of CISOs but prefer to use the CISOs solely as information sources, to be consulted by the senior management team, not granted full membership as part of that team.
The ThreatTrack survey seems to identify ongoing and potentially significant tension between CISOs and corporate chief information officers (CIOs). The survey found that corporate CEOs were generally more supportive of CISOs than were CIOs. While a majority of the surveyed CEOs were willing to integrate CISOs into senior management decision-making, only 37% of the surveyed CIOs were willing to support that action.
It seems possible that CIOs frequently view CISOs to be threats instead of partners. Such tension seems understandable. Given the scope and potential impact of data security threats, the information security function can often appear to be more pressing and more significant than the broader information management role. It is easy for CISOs to capture the attention of senior management, and it appears that many CIOs view that attention to be a challenge to their own authority.
The survey indicates that, in the vast majority of organizations, the CISO reports either to the CEO or to the CIO. In the majority of companies, the CISO reports to the CIO. Among the largest companies, those with 5,000 or more employees, approximately 70% of the CISOs report to the CIO.
Functionally, a reporting structure that places the CISO under the CIO is entirely sensible. It should be recognized, however, that such a structure seems to downplay the significance of the data security function. An organization that organizes itself so that the CISO reports directly to the CEO makes a clear statement that it places a high priority on data security.
ThreatTrack Security notes that the decision to have the CISO report to the CIO instead of the CEO could also be based in part on a desire to shield the CEO from negative fallout associated with a data breach. By inserting the CIO as an intermediary between the CEO and the CISO, an organization may somewhat impede the flow of data security information up its chain of command, but that additional organizational level can provide some distance between the CEO and those who are likely to be held ultimately accountable for data security breaches. This insulation may permit the CEO to survive even if a serious data security breach occurs.
ThreatTrack Security indicates that its survey highlights the critical role played by effective CISO communication. CISOs must communicate clearly both with the senior management team and with the rest of the organization in order to operate successfully and to survive. The survey results suggest that organizational communication is a function CISOs, in general, have not executed as effectively as they should.
At one level, effective CISO communication involves helping the organization to understand the nature of data security threats and their significance. The survey suggests that senior management of many organizations does not yet fully appreciate the challenges posed by data security, despite the many highly publicized data security breaches that have occurred to date.
Effective CISO communication also requires clear description of the role played by the CISO in the organization. The survey results suggest that many organizations do not seem to have a good working knowledge of the duties and responsibilities of the CISO. They also appear to lack an understanding of the ultimate value the CISO function offers for the organization. The ability of the CISO to operate successfully and to survive in an organization depends substantially on the CISO's effectiveness at communicating with the entire organization.
The ThreatTrack Security corporate survey on the role of the CISO conveys both good news and bad news. The good news is that many organizations now recognize the significance of data security to their operations. They value data security expertise and are willing to seek it out on an ongoing basis.
The bad news is that CISOs remain generally undervalued by their organizations. They are frequently consulted but not fully appreciated as important members of the senior management team. Their role is not fully understood by the rest of the organization, and they are often in conflict with the one party, the CIO, who should be their most important ally.
Perhaps the most important lesson offered by the ThreatTrack Security survey is the continuing need to highlight the data security role within each organization. To accomplish that goal most effectively, data security must be viewed as a function that merits a direct report to the CEO. This direct connection to the CEO can be accomplished in at least two ways. One is through establishment of a direct organizational reporting connection between the CISO and the CEO. Alternatively, organizations can begin to make data security expertise a more significant requirement as they select their CIOs.
Data security is essential to the survival of virtually every organization. Accordingly, data security should be the most critical responsibility of each executive responsible for information management in an organization. It now seems time to adjust our vision of the role of the CIO to recognize that data security is the most significant responsibility carried by each CIO. As a result, organizations should require that their CIOs be data security experts.