Nearly half of C-level executives said the primary role of a chief information security officer is to “be held accountable for any organizational data breaches.”
And three-quarters of the executives said CISOs do not deserve a seat at a table with the organization’s other leaders.
Cybersecurity firm ThreatTrack Security said it surveyed 200 C-level executive at US companies with a CISO. Interestingly, the results this year are not far from last year’s results. In fact, they are a tad worse from a CISO point of view.
Last year 74 percent said CISOs do not deserve to be included among an organization’s leadership team and 44 percent identified the primary role of the post as mere accountability for breaches.
READ ALSO: CISOs viewed as ‘convenient scapegoats’
“Last year, we were surprised that so many executives neither understood nor valued the role of their CISO, and viewed them as convenient scapegoats in the event of a headline-grabbing data breach,” said ThreatTrack President John Lyons, in a statement. “This year, the data is stunning. With growing concerns about data breaches, organizations appreciate the need for cybersecurity leadership at the highest levels but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations. In some areas, CISOs have lost ground.”
According to the survey, C-level execs value a CISO for cybersecurity guidance and advisement but less than 30 percent said those occupying CISO roles “possess broad awareness of organizational objectives and business needs outside of information security.”
Results still indicate a turf war between CIOs and CISOs. A organization’s CEO would be much more amenable than CIOs to naming a CISO as a director, according to the survey. Just 17 percent of CIOs within the survey thought CISOs deserve a seat at the table.
ThreatTrack said an unexpected result of the survey was that nearly 20 percent said their CISO had yet to make a cybersecurity decision.
“One reason for this could be that many CISOs are new to their organizations and haven’t had a chance yet to make a decision,” said ThreatTrack. “It also suggests CISOs aren’t effectively communicating their role, value and responsibilities to the rest of the organization.”
Asked to grade their CISOs, 9.5 percent gave an A. Eleven percent earned a D grade in the eyes of those surveyed. CEOs were kinder graders than CIOs, said ThreatTrack.