The number one driver in business right now is brand value, says Jay Leek, senior vice president and CISO at Blackstone, a New York City-based asset manager. And, whether you are a brick-and-mortar retailer like Target or the manufacturer of a digital tool like Internet Explorer, nothing has a negative impact on your brand quite like a data breach. As Target CEO Gregg Steinhafel discovered when he was forced to resign last month, putting the personal information of a large segment of your customer base in jeopardy can tarnish your company's reputation and derail executives' careers.
But, pull back on that view of the C-suite and identify who is missing among all those present with the title of ‘chief.' Chances are, you will not find the CISO – or the person he or she reports to – on Mahogany Row. “It's very rare to find a CISO who reports to the CEO,” says Ted Julian, chief marketing officer at Cambridge, Mass.-based Co3 Systems, “yet that is the most dramatic indicator that a company takes its security seriously.”
“Giving CISOs that kind of executive responsibility is not widely adopted,” agrees Bob West, chief trust officer at CipherCloud, based in San Jose, Calif. “Most CISOs still don't have that kind of visibility. Systemic issues still abound in that area.”
John Johnson, global security strategist at John Deere, the equipment manufacturing giant based in Moline, Ill., admits that his company does not even have a CISO, and says he sees few as he looks across the manufacturing sector. “Most manufacturers are struggling to improve and adapt, and swimming against the tide of lean IT budgets and resource shortages,” he says. “As such, security started as a function of IT and remains under the CIO.”
That line of reporting can work, says Leek, as long as the person the CISO reports to is the kind of executive who makes things happen when needed. “You need to team up with the right business leader to ensure your voice gets heard,” he says.
Unfortunately, based on the results of a new study, the voices from the security department are not generally getting heard. According to research conducted by the Ponemon Institute and sponsored by FireMon, only six percent of security professionals surveyed report being highly effective at communicating risk factors to senior management. Twenty-nine percent say they never communicate with senior executives, and 31 percent say the only time they meet with those in the C-suite is when a serious risk has been discovered. Seventy-one percent say communication occurs at too low a level to be effective, and more than half of respondents admit to filtering negative facts before talking to senior executives.
“The survey reveals there is a lack of understanding of what's important and how it should be measured,” says Jody Brazil, FireMon's president and chief technology officer. “Most security professionals are invisible until they are forced to disrupt the flow of regular business, and disruption is seldom viewed as positive by those in charge.”
Despite these findings, Leek (left) believes awareness of the importance of security to companies' overall welfare is increasing. “The conversation has been changing over the past two or three years,” he says. “The highly publicized breaches have changed the way that business leaders and boards of directors look at things.”