Half of C-Level Execs See CISOs Primarily as Scapegoats for Data Breaches

According to the results of a recent survey of 200 C-level executives at U.S.-based enterprises that employ a chief information security officer (CISO), almost half (47 percent) of respondents view the CISO’s role primarily as a scapegoat who “should be held accountable for any organizational data breaches.”

The survey, conducted by Opinion Matters on behalf of ThreatTrack Security in June 2015, also found that only 25 percent of respondents agreed that “CISOs contribute greatly to improving day-to-day security practices,” and only 25 percent think CISOs deserve a seat at the table as part of the organization’s leadership team.

“These results pose a real dilemma for CISOs,” ThreatTrack president John Lyons said in a statement. “If CISOs don’t have visibility into operational plans and strategy, and aren’t included in decision-making processes, how can they be held responsible for a major security issue?”

“The need for information security is keenly appreciated, but CISOs are struggling for the recognition and authority they need to be effective in defending organizations from today’s increasingly sophisticated and frequent cyber threats,” Lyons added.

Still, 79 percent said their board of directors already has or should have “at least one member with a strong background in cyber security, possibly including someone who is, or has served as, a CISO at another enterprise.”

“With growing concerns about data breaches, organizations appreciate the need for cybersecurity leadership at the highest levels but have failed to make progress in empowering CISOs with the authority they need to successfully defend their organizations,” Lyons said.

Few respondents valued CISOs’ contributions outside of security — only 27 percent agreed that “CISOs typically possess broad awareness of organizational objectives and business needs outside of information security.”

When asked how they view the CISO position in a leadership context, 51 percent of respondents said the CISO’s key job is as an advisor, providing “valuable guidance to senior leadership related to cyber security.”

“The CISO’s place in the corporate structure needs to be better defined and cemented so that the entire organization can benefit from the expertise and strategic thinking the CISO can offer in building an effective cyber security strategy — dramatically improving the organization’s ability to mitigate risk and limit its exposure to cybercrime while still enabling the business to grow and remain operationally efficient,” ThreatTrack stated in a report on the research.

A recent eSecurity Planet article looked at three questions every CISO should answer regarding data breaches.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles