Because an enterprise-wide approach to cybersecurity – including technology investments, workforce preparedness, and risk planning – counters evolving threats, CISOs should be empowered by the C-Suite to influence or direct myriad corporate functions, from cybersecurity to HR to workforce training to strategic planning. And, indeed, some forward-leaning companies are aligning their CISOs more closely to the operations of the rest of the C-Suite. Yet far too many, whatever lip service they may pay to a more strategic alignment, view the role of the CISO as though it’s still 1995: securing the data and devices within the enterprise.
In a 2015 survey, Deloitte found that CISOs typically spend 77% of their time on technical matters like identifying and implementing new security technology investments and focusing on aligning the cybersecurity staff to face the current threat landscape. However, 77% simultaneously said their number 1 priority was promoting better integration and governance of information security practices with business operations.
Such misalignment of priorities with activities belies the expectations of CEOs, CIOs, and COOs who pay lip service to the increased criticality of a CISO’s job while failing to adjust to empower the role. Part of the failure of CISOs to better integrate information security programs with business operations comes down to reporting chains. According to the 2021 Global CISO Survey, more than 50% of CISOs report to either the CIO or CTO, who are less likely to be principal drivers of corporate strategy or operational decision-making in the ways the CEO or COO are (especially outside of the tech and telecom industries). Fewer than a quarter of CISOs report to either the CEO or COO and only 4% sit on a corporate board—mirroring a trend whereby only 6-8% of directors added to boards have cybersecurity expertise whatsoever.
The same survey identified two general categories of CISO: the “Everything CISO,” responsible for enterprise security, risk, and trust; and the “Specialist CISO,” an IT-focused job centered on cybersecurity. While the two categories are close in proportion (45% Everything to 55% Specialist), the predominance of Specialists shows an industry lagging behind the true requirements of such a role. Nearly three-quarters of Everything CISOs work in the technology and financial sectors, perhaps because these are heavy targets of cyber attacks with massive value at risk. Nonetheless, massive markets from healthcare to retail to energy trend heavily towards treating CISOs as a predominantly IT role, leaving major segments of our economy and critical infrastructure without adequate security and risk leadership.
A recent MIT study clarifies, “Improvements in technology adversely affect wages and employment through the displacement effect, in which robots or other automation complete tasks formerly done by workers. Technology also has more positive productivity effects by making tasks easier to complete or creating new jobs and tasks for workers. The researchers said automation technologies always create both displacement and productivity effects, but robots create a stronger displacement effect.”
Enterprises need to rethink how they make security decisions across the organization—not simply cybersecurity decisions. Because security of all types is at its core a very human problem, and because security choices can often have massive impacts on business operations, CISOs and security executives should not be determining security posture in a vacuum. Some organizations are beginning to convene councils of senior executives to make corporate security decisions. In this way, security considerations can be weighed against business operations to make tradeoff decisions at the very top. However, only 30% of CISOs polled in a ToolBox survey report having a similar board-level committee, and of those, only 43% say the committee includes a member of the security staff. Enterprises cannot chart a well-considered security path if, as almost 50% of those respondents report, they treat security as an impediment to business. Security must be an integrated component of all business decisions and must be the responsibility of the entire executive leadership team, including the CISO.
About the Authors