Study: CISO leadership capacity undervalued by most C-level execs
According to a ThreatTrack Security study, 74 percent of execs believed that CISOs didn't belong on organization's senior leadership teams.
A recent poll of C-level executives revealed that most doubt CISOs' organizational leadership abilities.
In a ThreatTrack Security study (PDF) released Thursday, nearly three quarters of the 203 executives polled expressed such opinions. When asked whether “CISOs deserve a seat at the table and should be a part of an organization's leadership team,” 74 percent of execs said, “no.”
The U.S.-based respondents, which included CEOs, presidents, CIOs, COOs, CFOs and those providing high-level legal counsel at companies, were polled between June and July by Opinion Matters on behalf of ThreatTrack.
The report also sheds light on largely held perceptions of the CISO as a “scapegoat,” following security breaches.
Forty-four percent of C-level executives believed that CISOs should be held accountable for “any organizational data breaches,” while 54 percent said that chief information security officers shouldn't be responsible for cyber security purchasing decisions, the report revealed.
“In other words, while CISOs deserve the blame for breaches in the minds of many executives, they should have limited say in acquiring the technology and resources to prevent them,” the report said. “The perception of the CISO as scapegoat is especially prevalent among retail (65 percent) and healthcare (55 percent) companies – which are among the most common targets of cyber attacks – as well as in the legal (67 percent) and professional services (52 percent) sectors.”
In a Friday interview with SCMagazine.com, Julian Waits Sr., president and CEO of ThreatTrack Security, said that he's increasingly seeing CISOs reporting directly to CEOs, but in many cases, a leadership division at companies is still present.
“[C-level execs] still see CISOs as these technology dweebs, and as guys who put technologies in place to make it harder for them to do business,” Waits said. “They are not seeing them as a partner in the business, and I personally see this as a travesty.”
The survey, which also asked participants to grade their CISOs on their overall performance, showed that most in the security roles earned a "B" or "C" (72 percent) for their ability to prevent data breaches and combat “sophisticated cyber threats.” More than a quarter, or 28 percent, of executives said that a decision their CISO made hurt the business's bottom line.