Few infosec leaders report to C-suite, study shows

Few infosec leaders have a direct voice to the C-suite, says a new study, which it argues, makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization.

The global study from LogRhythm conducted by the Ponemon Institute showed on average respondents were three levels away from the CEO. Most often they reported to the CIO (24 per cent), the director of IT (19 per cent), the CTO (12 per cent) or the VP of technology (11 per cent). Only seven per cent reported directly to the CEO.

Furthermore, only 37 per cent of respondents said they or someone in their security function reports directly to the board of directors.

Only 43 per cent either strongly agreed or agreed their organization values and effectively leverages the expertise of the cybersecurity leader. Only 46 per cent strongly agreed or agreed senior leadership in their organization has confidence that the cybersecurity
leader understands the business goals.

Sixty per cent of respondents strongly agreed or agreed that a cybersecurity leader should report directly to the CEO because it would create greater awareness of security issues throughout the organization.



Three things a new CISO should do


The Ponemon Institute surveyed 1,426 cybersecurity professionals in the United States, Europe, Middle East, Asia and Asia-Pacific. Most held the title of Chief Information Security Officer (17 per cent), security manager (15 per cent), Chief Information Officer (12 per cent), Chief Technology Officer (11 per cent) and security director (11 per cent).

Forty-one per cent of respondents said they brief the board only when a security incident occurs. Thirty per cent say reporting occurs quarterly. Only 29 per cent of respondents say they have a committee dedicated to cybersecurity threats and issues facing the organization. If they do have such a committee, only 43 per cent of respondents say someone from the cybersecurity function is a member of the committee.

“While security leaders are assuming more responsibility than ever before, they lack the necessary organizational visibility and influence to effectively build and mature their security programs,” James Carder, chief security officer of LogRhythm, said on the release of the report. “Comprehensive cybersecurity programs are integral to the success of an organization. This research should spur CEOs to take accountability for safeguarding their organization’s sensitive information, prioritize the security program by elevating the security leader and ensure inroads between security decision-makers, the C-suite and the board.”

If possible IT leaders should be persistent in scheduling meetings with the C-suite and board of directors, the author of the report says. Include in these presentations the financial, regulatory and reputational quantifiable and qualitative consequences of a security incident.

If there are security risks that are not being addressed, provide recommendations and concrete actions that the CEO and board can approve or disapprove, it adds.

The full report, which also looks at infosec leaders’ spending priorities, and what they consider are their top risks, is available here. *Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.