Skip Links

Does your title match your authority?

Security may be getting respect, but what does a C-level security title mean when it comes to having the power to secure an organization?

By Bob Violino, CSO
February 04, 2014 04:07 PM ET

CSO - Security executives have taken on much more responsibility and visibility in recent years as threats to corporate information assets and physical resources have increased.

[Senior managers fumble security much more often than rank and file]

But do their titles--whether it's CSO, CISO, vice president of security or other C-level position--always come with the authority needed to achieve everything they are responsible for? If not, how much of a gap is there between these executives' responsibilities and their authority?

The short answer is, it depends on the organization and how it perceives the security function. The level of authority and influence that information security executives wield varies widely from organization to organization, says Steve Durbin, global vice president of the Information Security Forum, a nonprofit that provides guidance and best practices for all areas of information security and risk management. And at a great many enterprises, Durbin says, that authority and influence is not sufficient.

"If you look at some of the power players, the guys running security at the largest organizations, they say they do have the authority to at least accomplish what they are tasked with," Durbin says. "But a lot of organizations still don't get the importance of security," and that's reflected in how CISOs and other cybersecurity executives are treated when it comes to authority, budget control and other areas of management.

Recent research confirms that many organizations undervalue information security, Durbin says. For example, according to Ernst and Young's 2012 Global Information Security Survey, only about one quarter of the companies surveyed have given responsibility for information security to the CEO, CFO or COO--elevating it to a C-suite concern. And only 5 percent have information security reporting to the chief risk officer, the person most responsible for managing the organization's risk profile.

"Clearly there is a mismatch or a lack of understanding at the senior level of how important security is and the level of [authority] it needs to have within the organization," Durbin says. Information security executives might be partly to blame for this, he adds.

[10 ways to prep for -- and ace -- a security job interview]

"In my experience, generally speaking, many security executives still find it difficult to effectively transmit their message to C-level decision makers," Durbin says. "They have not been able to align information security with business goals. The industry in general has tended to overuse the fear, uncertainty and doubt methodology to get budget, and to some extent that has damaged the role [of CISOs].

At many organizations outside the Fortune 500, the CISO role today "lacks the prestige to accomplish the information security goals the business requires," Durbin says.

[High CISO employment rates means shortage for security industry]

"CISOs have got a difficult task on their hands; very many of them have come from technical backgrounds and up until recently have not been required to work as closely with the business or to communicate security issues in a language that the business easily understands," he says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News