CISO Still Viewed As Tech Not Business Leader

While the majority of enterprise boards are well aware of cybersecurity risks to their overall corporate risk posture, most chief information security officers (CISOs) are still relegated to technical teams, according to a study out today by ISACA and RSA Conference.

Conducted among over 460 security professionals, the survey showed that 82% report that their board of directors is very concerned about cybersecurity. But at the same time, only 14% of CISOs actually report to the CEO. Instead, the majority--63%--report to the CIO.

“The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue," said Jennifer Lawinski, editor-in-chief for the RSA Conference. "This survey highlights the discrepancy to provide an opportunity for growth for the infosec community in the future.”

The good news is that the majority of security professionals say line-of-business leaders are backing them up with executive support for things like policy enforcement and adequate funding. Often, though, executives work under a double standard and only about 43% of infosec leaders report that these line-of-business leaders are actually following the same policies they demand of the rest of the organization.

Overall, security leaders also believe there's improvement needed across the security ranks when it comes to on-the-job skills. Compared to the same survey last year, there was a 12-point drop in the percentage of security leaders who were confident in their team's ability to detect and respond to incidents, dipping down to 75%. Within that group, six out of 10 do not believe their staff can handle anything beyond simple cybersecurity incidents.

As things stand, 62% of respondents say that it takes at least three months to fill an open position and 59% say that at least half of the applicant pool for jobs they fill are not qualified to fill a position. Approximately 75% say one of the biggest skills gaps they see within the infosec workforce is workers' inability to understand the business--an eye opening stat considering the CISO's positioning in the corporate pecking order.

Related content: