There’s good news and bad news when it comes to top cyber security posts in the corporate enterprise. The upside is more companies have appointed chief security officers (CSOs) and chief information security officers (CISOs). The downside is too many hold the title without the same measure of autonomy given to other C-level execs.
KrebsOnSecurity, a site devoted to security issues, recently dove into the issue, reviewing the web sites for the top global companies by market value. They found only five percent of behemoths listing their top security executives among their highest ranking officials while the same companies highlighted top executives in other domains--for example, nearly three-quarters (73%) named their human resources executive (chief people officer) and one-third included a chief marketing officer.
At the same time, however, more companies are elevating security professionals to C-level titles. A 2017 ISACA report on the state of cyber security found that 65% of organizations now employ a CISO, up from 50% in 2016, and a greater number are considering rearranging the reporting structure so the CISO no longer reports into the CIO. The 2019 State of the CIO research found less momentum for CSO titles: Currently only 13% of respondents to the survey have appointed a CSO, and among those that have, 73% report into the CEO or corporate CIO.
This begs the question: Why stack the deck with executive security manpower if only to curtail their authority and lessen their clout over the rest of the enterprise? The answer, experts say, is that while companies have made significant strides in cyber security, the discipline is still not viewed as a foundational business strategy, in part because it’s a cost center as opposed to technology that presents revenue-generating opportunities.
That head-in-the-sand strategy is particularly prevalent in the industrial sector, notes Andy Bochman, senior grid strategist for National & Homeland Security at the Idaho National Laboratory, the nation’s premiere nuclear energy research lab. “In many companies, the CISO or CSO is usually a euphemism to say, `of course we take security seriously,’” he explains. “If you peel back the euphemism, the role typically operates as a senior manager or director—it’s not on the level that gets you into the inner sanctum where the true C-suite lives.”
Org Charts Revisited
Much of the issue is organizational as most top-level cyber security executives report into the CIO or CFO instead of a direct line to the CEO like their C-suite counterparts. This is particularly problematic in the industrial world where cyber security concerns span both IT and OT (operational technology) systems, which remain siloed despite the on-going push for convergence as part of Industrial Internet of Things (IIoT) and digitalization strategies. In addition, the executives often operate at cross purposes with the CIO pressing forward with digital innovation as the security execs pump the brakes due to concerns about risk and exposure.
“Their values are often at odds with each other,” Bochman says. “CIOs are paid to drive use of innovative technology while the CSO is concerned about opening up tremendous attack surfaces.”
At the same time, cyber security teams still remain relatively small compared to other functional areas, which makes some organizations hesitant to appoint a C-level oversight title, according to David Bradbury, senior vice president and CSO at Symantec. For example, Symantec maintains a team of 150 security professionals to support 12,000 internal employees—a staff considered moderate compared to many similarly-sized companies that staff only a few dozen cyber security personnel.
Cyber security teams still remain relatively small compared to other functional areas.
At the same time, just because a CSO or CISO doesn’t direct line report into the CEO shouldn’t mean they can’t be effective. “It’s not always the right structure—you can’t have the whole company reporting into the CEO,” Bradbury explains. “A large component of the CISO role is operational and not necessarily aligned with the CEO agenda.”
Bradbury says the problem isn’t with large companies or with firms that don’t call out their top security professionals, but rather with mid-tier organizations that still have work to do to elevate cyber security objectives and policies. “In the mid-tier, we’re not seeing security getting the oxygen it needs to be effective,” he says. “That’s where the battle needs to be fought in the next five to 10 years. That’s where security is failing to get traction, and this could be one of many factors.”
Over time, security experts like Bochman hope to see a single C-level security role that would have oversight of IT/OT as well as cyber and physical security domains. In the interim, however, companies are addressing security gaps primarily through technology implementations, but the real transformation will come with organizational and cultural change.
“Cultural change takes a lot longer than technology change,” Bochman says. “We’re at some mid-way point from being totally flat footed on cyber security as evidenced by the org chart to making substantial gains.”