The good news is that the C-suite is, in fact, improving its posture in these vital matters, according to a Protiviti security survey, "Managing the Crown Jewels and Other Critical Data," released in February. The study found that current board engagement levels are at 33 percent, compared to 28 percent in 2015.
But, while boards are, in general, increasing their management of IT security implementations, there is still more work to be done. “While the increase in boards of directors' and company management's engagement with information security is a positive sign, it's imperative that leadership keeps closer tabs on the state of their organizations' cybersecurity programs,” says Scott Laliberte, a Protiviti managing director and leader of the firm's global IT security and privacy practice. “Particularly as new technologies are introduced and new approaches to generating revenue are deployed, it's increasingly important to reexamine existing data security and privacy processes on a regular basis – ensuring that the right systems and people are in place to keep pace with changes.”
Wils Bell, cybersecurity recruiter
Kimberly Verska, partner and chief information officer at law firm Culhane Meadows, sees roles shifting in the C-suite, particularly in light of the hacks of corporations and their advisers. "Locking down data securely at every point of an enterprise's operations is finally getting the attention it deserves," says Verska, who concentrates her practice on corporate and technology transactions as well as regulatory issues, particularly in the arena of data privacy.
Data security has been a longtime focus in companies whose product is data, she explains. "It's only now, as a result of several highly publicized corporate exposures and CEOs losing their jobs as a result, that the issue of data security is getting serious attention."
No company or executive wants to be embarrassed on the front page of any news outlet for something like a data breach or hacked email or Twitter account, she says. "And when CEOs lose their jobs over these breaches, security tends to become a top C-suite priority. As a result, management is starting to recruit more 'tech savvy-ness' at every level of their organizations -- from operation to the C-suite, even to board-level positions."
Competition to get the right security professionals on board is fierce, says Verska, who speaks Russian, German and Spanish, and has authored and co-authored numerous articles on the laws of foreign jurisdictions relating to data privacy and e-commerce. But it's more than simply hiring a well-known security expert or a CIO. "It's not enough to hire a 'compliance lion' if no one is watching what the cubs are doing. The real shift in the C-suite is working to create a culture of compliance organization-wide."
In the past, a company's security functions fell to the CIO or CTO, whose top priorities are typically a mix of innovation and operations, and very few of the largest enterprises employed a CISO, says Domini Clark (left), a principal at Blackmere Consulting, an executive recruiter for the technical and cybersecurity industry. Even the U.S. government didn't have a C-suite security-focused executive in the role before 2016, when the first federal CISO was hired, she points out. "But times are rapidly changing, and corporations are learning that security is no longer purely a technological issue, and can no longer be constrained solely to IT."
Senior management is realizing that information security is really a risk issue, and risk is a business challenge that needs broader solutions, says Clark, also the director of strategy at InfoSec Connect. "This realization means we will continue to see growth in the CISO function across organizations of all sizes."
Michael Potters (right), CEO of Glenmont Group, a Montclair, N.J.-based executive search firm, agrees that roles are shifting in the C-suite, but, he explains, it's taking shape in two forms: The CISO position is now showing up at most Fortune 500 organizations often not reporting to a CIO but to a CEO, he says. Plus, there is now a movement to see chief information governance officers (CIGOs) become an accepted role at the C-suite and have infosec in the silo.
Also, the role of the general counsel at the Fortune 500 has had cyber issues dotted lined to them as they are under fire to makes sure that this is being addressed properly to prevent “break the bank,” large-scale litigation caused by not addressing cyber issues in a proactive way, he says.
Others also see more direct reporting to the C-suite and activities with the board. C-level and boards are seeking trusted advisers, says Gary Clayton, shareholder in the workplace privacy and data security practice of Littler Mendelson. Although there is a caveat, he points to: Many who would be potentially great advisers are so concerned about personal and professional liabilities that they are reluctant to accept these positions.