We’ve all heard or read the rhetoric that “cybersecurity has become a boardroom issue.” I certainly agree that we are trending in this direction, but is this true today or nothing more than marketing hype?
ESG recently published a new research report in collaboration with the Information Systems Security Association (ISSA), titled The State of Cyber Security Professional Careers, to ask a number of questions and truly capture the voice of cybersecurity professionals.
As part of this project, cybersecurity professionals were asked if their CISO’s (or similar role) participation with executive management (i.e. CEO, board of directors, etc.) was at an adequate level. Just over (56 percent) half answered “yes,” but 16 percent thought the level of CISO participation with executive management should increase somewhat while another 12 percent believe the CISO’s level of participation with executive management should increase significantly. The remaining 16 percent responded, “don’t know.”
So, despite industry rhetoric, more than one quarter of cybersecurity professionals believe CISOs are not getting the right level of executive face time. Given the number of major data breaches we’ve seen over the past few years and continue to see today, this seems totally inappropriate to me.
The results are even worse when further analyzed. The survey population of 437 cybersecurity professionals included 61 CISOs (or similar position). Of these CISOs:
- Twenty-one percent believe the CISO's level of participation with executive management should increase somewhat (compared to 16% of the total survey population).
- Twenty-five percent believe the CISO's level of participation with executive management should increase substantially (compared to 12 percent of the total survey population).
These CISOs are the very individuals who have the best understanding of the amount of time they spend with executives and whether this is an appropriate amount. Alarmingly, nearly half of them (46 percent) say they aren’t getting enough executive attention. This is very discouraging data, to say the least.
We cybersecurity professionals take pride in the job we do and the current state of the industry. Heck, cybersecurity has become a daily topic in the U.S. presidential election, and more than 35,000 people attended this year’s RSA Security Conference.
Yup, we’ve made progress but the ESG/ISSA data is a sobering reminder that we also need to eschew hyperbole and realize that there’s still a lot of work ahead. The fact remains that too many organizations still don’t want “good security;” they want “good enough security,” which has proven time and time again to be insufficient for preventing, detecting and responding to sophisticated cyber attacks.
CISOs must keep pushing for more boardroom face time, and fat cat CEOs and board members must stop dismissing infosec as a technical issue and truly embrace cybersecurity as part of business planning, business processes and organizational culture. Our collective safety is at risk.