January 6, 2022
“Cybersecurity isn’t just an IT problem, it’s an organization-wide issue that requires executive-level decisions. That’s why CISOs should be in an executive role.”
That was Mindsight Cybersecurity Practice Lead Mishaal Khan this past spring, reiterating something he has long preached to greatly enhance cybersecurity at SMBs and enterprises alike. And there’s been positive growth, he said, noting that more and more company leaders have tech backgrounds and communication is improving between key stakeholders.
But as a recent study from LogRhythm makes clear, there’s still a long way to go.
Titled Security and the C-Suite: Making Security Priorities Business Priorities, the study centers around this basic principle: “To gain organizational influence, cybersecurity leaders should report to the CEO.” Apparently, that’s easier said or written than done, because 93 percent of respondents — mainly CISOs, CIOs, CTOs and security officers — said that isn’t the case at their organizations, more than half of which had experienced cyber-attacks and data breaches in the past two years.
“In fact, on average respondents are three levels away from the CEO which makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization,” the study states. “Sixty percent of respondents say the IT security leader should report directly to the CEO because it would create greater awareness about security throughout the organization.”
Here’s another, even more alarming revelation: “Despite 57 percent of respondents having complete ownership (23 percent) or significant influence (34 percent) over an average annual budget of $38 million, most IT security leaders are still not having a direct relationship with the CEO and board of directors.”
At a time of widespread remote work and consequent security lapses that greatly increase the chances of an organization’s data (today’s most valuable currency) being stolen or compromised by skilled cybercriminals, the study goes on to say, companies remain puzzlingly focused on “having a skilled workforce, improving corporate culture and customer experience” at the expense of cybersecurity.
Some recommendations to help IT leaders remedy this potentially costly shortcoming include: 1) Pinpointing specific security risks and providing recommendations and concrete actions that the CEO and board can approve or disapprove; 2) Instituting an effective incident response and disaster recovery plan that the CEO and board of directors understand fully; 3) Scheduling regular meetings with the CEO and board regarding the financial, regulatory and reputational impact of a security incident. Because overwhelmingly, the study found, “the board of directors is not getting a clear picture of the organization’s security posture.”
Getting back to Khan’s statement about the relationship of CISOs and CEOs, it turns out that 60 percent of the study’s respondents share his belief. Cybersecurity leaders, they agreed, “should be part of the C-suite and report directly to the CEO because it would give the cybersecurity leader more authority and create greater awareness of security issues throughout the organization. As a consequence of this reporting relationship, only 37 percent of respondents say their organization values and effectively leverages the expertise of the cybersecurity leader.”
It doesn’t help matters that while security leaders assume most of the risk and receive much of the blame for cyber-attacks, their salaries often don’t reflect those realities. Less than half of respondents said their pay had increased over the past year, while 57 percent said they assumed “more accountability and risk for ensuring a strong security posture.” Meanwhile, CEOs are doing just fine.
As Mindsight’s Khan and the LogRhythm study make clear, creating more equity and better dialogue between security leaders and traditional business-side leaders would go a long way toward making companies less vulnerable to attacks that could seriously hamper operations, negatively impact associates — or put them out of business entirely.
The old adage may be trite but it’s also true: An ounce of prevention is worth a pound of cure. In this case, though, there aren’t nearly enough believers.
Learn more from a few of our most popular cybersecurity blogs in 2021:
- The Rise of Social Engineering Challenges: A Cybersecurity Report
- Ransomware and Healthcare, Lives in the Balance: A Cybersecurity Report
- What You Need to Know about Cybersecurity Frameworks: A Cybersecurity Report
Like what you read?
Contact us today to discuss disaster recovery and ransomware threats.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.