Chris Wilkinson, director, BSS
In a recent study BSS conducted, our fears were confirmed — the role of Chief Information Security Officer (CISO) is not being valued by senior leadership.
The study, titled ‘How CISOs can succeed in a challenging landscape,’ surveyed 150 information security decision makers in the UK. Astonishingly, more than 70% of CISOs expressed the belief that information security isn’t adequately recognised by senior leadership.
In fact, only just over a quarter (28%) of respondents felt that the board acknowledged the value of their role, while a mere two in ten (22%) were actively involved in broader business strategy and decision-making processes.
Taking a seat at the table
CISOs need a seat at the table. It’s as simple as that.
Such a poor level of prioritisation for information security is unacceptable in a world of evolving threats that can result in significant financial and reputational penalties — especially when the responsibility for preventing (and inevitably recovering from) cyberattacks falls to the CISO.
As such, CISOs need to be forceful and use business impact as ammunition to give them leverage in the boardroom, helping them secure the resources and investment they need. Because the investment is there in most cases, it’s just misplaced.
Spending in the wrong places
The research also revealed that over three quarters (78%) of participants noted that high-profile security incidents were the driving force behind increased budget allocations for information security.
But, despite the reported increase in budget, over half (55%) of CISOs stated that they are pressured to spend that budget on addressing issues that are currently making headlines, rather than where the funds are truly needed.
This not only highlights the reactive rather than proactive approach boards are favouring, but it also indicates a failure to recognise the strategic value that CISOs bring to the table.
It’s a particularly disappointing trend to see when only one in 10 (9%) of CISOs reported that information security consistently ranks among the top three priorities on the boardroom agenda. With a staggering half (49%) of respondents admitting to a lack of C-level buy-in for information security, with a third (32%) stating that there is no buy-in at all.
These revelations point to a significant gap in understanding the importance of cybersecurity for fundamental business operations and a lack of awareness of the skill of the CISO.
Attacks are inevitable
As organisations navigate an increasingly complex cyber threat landscape, it is crucial to recognise the strategic importance of CISOs.
The findings of this study underscore the need for a paradigm shift in acknowledging the indispensable role of CISOs in shaping and safeguarding the future of businesses.
Ultimately, when it comes to cyberattacks it’s not a case of if, it’s a case of when. And as such, there’s no viable reason that information security shouldn’t be the top of every board’s agenda and priorities.
And with companies like BSS here to support CISOs and their cybersecurity, risk and ITOps teams, it’s easier than ever to prioritise information security. It’s high time for organisations to recognise CISOs as vital enablers of commercial operations, with information security integrated into every business decision.
To delve deeper into the research findings, you read more findings in this blog or download your own copy here.
