Some Infosec leaders report to C-Suite, shows study

Few InfoSec leaders have a direct voice for the C-suite, says a new study, which argues that it is very difficult to ensure that leadership has an accurate and complete understanding of the security risks facing the organization.

A global study of logarithms conducted by the Ponemon Institute showed that on average respondents were three levels away from the CEO. Often they reported to the CIO (24 percent), IT director (19 percent), CTO (12 percent) or VP of technology (11 percent). Only seven percent reported directly to the CEO.

In addition, only 37 percent of respondents said they or someone in their security work reports directly to the board of directors.

Only 43 percent either strongly agree or agree with their organization's values and effectively leverage the expertise of a cybersecurity leader. Only 46 percent strongly agree or agree that senior leadership in their organization considers cyber security

The leader understands business goals.

Sixty percent of respondents strongly agreed or agreed that a cyber security leader should report directly to the CEO as it would create greater awareness of security issues throughout the organization.

Three things a new CISO should do

The Ponemon Institute surveyed 1,426 cybersecurity professionals across the United States, Europe, the Middle East, Asia and the Asia-Pacific. Most held the titles of chief information security officer (17 percent), security manager (15 percent), chief information officer (12 percent), chief technology officer (11 percent) and director of security (11 percent).

Forty-one percent of the respondents said that they notify the board only when a security incident occurs. Thirty percent say reporting happens quarterly. Only 29 percent of respondents say they have a committee dedicated to cyber security threats and issues facing the organization. If they have such a committee, only 43 percent of respondents say someone with cyber security work is a member of the committee.

Logarithm's chief security officer, James Carder, said in the release of the report, "When security leaders are taking on more responsibility than ever before, they have the necessary organizational visibility and influence to build and mature their security programs effectively. There is a shortage." "Comprehensive cybersecurity programs are integral to an organization's success. This research should motivate CEOs to take accountability for protecting their organization's sensitive information, prioritize security programs by elevating the security leader, and make security decisions." " There must be penetration between the takers, the C-suite and the board.

The report's authors say IT leaders should schedule meetings with the C-suite and the board of directors, if possible. Include financial, regulatory and reputational quantitative and qualitative results of the security incident in these presentations.

If there are security risks that are not being addressed, provide recommendations and concrete actions that the CEO and board can approve or reject, it adds.

The full report, which also looks at the spending priorities of InfoSec leaders, and what they consider to be their top risks, is available here. *registration required.