We’ve all heard or read the rhetoric that “cybersecurity has become a boardroom issue.” I certainly agree that we are trending in this direction, but is this true today or nothing more than marketing hype?
ESG recently published a new research report in collaboration with the Information Systems Security Association (ISSA) titled, The State of Cyber Security Professional Careers, to ask a number of questions and truly capture the voice of cybersecurity professionals.
As part of this project, cybersecurity professionals were asked if their CISO’s (or similar role) participation with executive management (i.e., CEO, board of directors, etc.) was at an adequate level. Just over (56%) half answered yes, but 16% thought the level of CISO participation with executive management should increase somewhat while another 12% believe that the CISO’s level of participation with executive management should increase significantly. The remaining 16% responded, “don’t know.”
So, despite industry rhetoric, more than one-quarter of cybersecurity professionals believe that CISOs are not getting the right level of executive facetime. Given the number of major data breaches we’ve seen over the past few years and continue to see today, this seems totally inappropriate to me.
The results are even worse when further analyzed. The survey population of 437 cybersecurity professionals included 61 CISOs (or similar position). Of these CISOs:
- 21% believe the CISO's level of participation with executive management should increase somewhat (compared with 16% of the total survey population).
- 25% believe the CISO's level of participation with executive management should increase substantially (compared with 12% of the total survey population).
These CISOs are the very individuals who have the best understanding of the amount of time they spend with executives and whether this is an appropriate amount. Alarmingly, nearly half of them (46%) say they aren’t getting enough executive attention. To me, this is very discouraging data to say the least.
We cybersecurity professionals take pride in the job we do and the current state of the industry. Heck, cybersecurity has become a daily topic in the U.S. presidential election while more than 35,000 people attended this year’s RSA Security Conference last February.
Yup, we’ve made progress, but the ESG/ISSA data is a sobering reminder that we need to eschew hyperbole and realize that there’s still a lot of work ahead. The fact remains that too many organizations still don’t want “good security,” they want “good enough security,” which has proven time and time again to be insufficient for preventing, detecting, and responding to sophisticated cyber-attacks.
CISOs must keep pushing for more boardroom facetime while fat cat CEOs and board members must stop dismissing infosec as a technical issue and truly embrace cybersecurity as part of business planning, business processes, and organizational culture. Our collective safety is at risk.