A recent study finds that the increased scrutiny of security incidents is leading many chief information security officers, or CISOs, to report right to the top, rather than to the CIO.
The chief information security officer role has been given an upgrade—and is now widely seen as an executive-suite role. That’s according to a new report from the information technology firm Wipro, which found that more than a fifth of CISOs are now reporting directly to the CEO, rather than the CIO.
(The rate varies significantly by industry. For communications-centric organizations, the number is 47 percent.)
The reason for the increasingly direct relationship between the CISO and the CEO, according to the State of Cybersecurity Report 2019 [registration], is that it’s becoming more clear that the role is an increasingly critical part of an organization’s basic function.
“Business leaders are acutely aware of the reality of an imminent cyberattack as high-profile CEOs are feeling the heat due to data breaches,” the report states. “This has led to the evolution of the CISO’s role, which now includes more governance responsibilities along with a heightened scrutiny from the board.”
CISOs are expected to manage a number of security functions, including overall information security (91 percent), information security policy (84 percent), and budgets (60 percent). The report adds that while the relationship between CIO and CISO has worked in the past, it may not be as effective in the future.
In case you’re considering a CISO-centric reorganization, here are some other relevant insights related to the CISO role worth noting:
It’s a tough gig. In a column for Dark Reading, Carbon Black Head of Security Strategy Rick McElroy noted that CISOs often spend less time in their roles than other C-suite positions, and some of the reason for that is because it’s difficult work that is incredibly difficult to pull off well. Part of the problem, McElroy says, is that CISOs are often expected to shoulder the blame for security failings. “In many organizations, there’s also an assumption that security is the sole responsibility of the CISO,” he writes. “In reality, it’s a business imperative—everyone from the CEO to the seasonal intern should prioritize secure best practices to keep the organization protected.”
Leadership skills matter more than technical skills. Last year, a study from ESG and the Information Systems Security Association found that success in the CISO role leaned largely on leadership skills, which 54 percent of CISOs surveyed said was important, far outpacing other aspects, such as communication skills (49 percent), executive relationships (44 percent), management skills (33 percent), and technical skills (21 percent). CSO contributor Jon Oltsik noted that the decreased focus on technical skills reflects a change in how the role is perceived. “In the old days, CISOs tended to work their way up through IT and cybersecurity departments before assuming oversight of antivirus software, firewalls, and meeting regulatory compliance mandates,” he explained. ”Now, CISOs lean much more heavily toward the business.”