CEOs not paying enough attention to digital security

Chief information security officers have a lot to worry about, convincing the CEO to be vigilant about mounting risks shouldn’t be one of them.

The role of chief information security officer (CISO) is a relatively new and incredibly important position at many retail organizations. While retailers have long understood the power of data as a resource to be mined for value creation, they were slow to understand the capabilities of nefarious characters to penetrate their systems and steal important information. While organizations have become more aware of their vulnerabilities and bolstered defenses, a new report reveals many are still too reactive and CEOs and boards are not highly engaged.

The report finds that as IT security increasingly becomes a priority, CISOs’ influence within companies is growing, however, security strategy in many organizations is still largely reactive and not yet aligned with business functions. The findings are based on a survey of 184 senior-level IT security professionals at 184 companies in seven countries conducted by the Ponemon Institute on behalf of technology solutions provider F5.

“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. But in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.” said Mike Convertino, Chief Information Security Officer at F5.

Among the reports other key findings:

• Responsibility growing for CISOs – Although CISOs have varying degrees of influence among upper management in their organizations, most CISOs are influential in managing their companies’ cybersecurity risks, and their impact is growing. Sixty-eight percent of respondents say CISOs have the final say in all IT security spending, while a slightly smaller number (64%) say they have direct influence and authority over all security expenditures in their organizations. Eighty-seven percent of respondents say the IT security budget has increased significantly.
• Alignment lacking with business – An IT security strategy that spans the entire company is still very rare. Fifty-eight percent of respondents indicate IT security is a standalone function and only 22% say security is integrated with other business teams, while 45% say their security function does not have clearly defined lines of responsibility.
• Recognition of security as a business priority is reactive – Sixty percent of respondents believe their organizations consider security to be a business priority, yet only 51% say their organization has an IT security strategy, and of those only 43% say that strategy is reviewed, approved, and supported by other C-level executives. The findings indicate that change in security programs is largely reactive, with material data breaches (45%) and cybersecurity exploits (43%) the top two events that get attention from other senior executives.
• Crises driving influence with executiveleadership – Sixty-five percent of respondents say CISOs communicate directly with senior executives, but rarely is it strategic discussion of all threats to the organization. Respondents also acknowledged limited executive communication around security events, with 46% stating that only material data breaches and cyber attacks are reported to the CEO and board of directors, while just 19% report all data breaches to this group.
• AI is a potential solution to staffing needs – A talent shortage in IT security continues to loom large for CISOs. Fifty-eight percent say they have difficulty hiring qualified security personnel, with the biggest challenges identifying and recruiting qualified candidates (56%) and an inability to offer a market-level salary (48%).