According to a recent report, only five of the Fortune 100 companies count their heads of security when listing top management.
The CISO role and its relationship to clout and influence have always been a dance with the corporate old guard. Does the CISO truly have the authority to stop a line-of-business executive from doing something risky? And if the CISO tries, will the CISO get backing from the CEO and others?
A recent LinkedIn discussion initiated by Derek Andrews, director of cybersecurity operations and incident response for a large nonprofit who he said he would rather not identify, encapsulated the fears quite well.
"The CISO role isn't really the chief of anything other than being the person to take the fall when the time is right," Andrews wrote. "CISOs aren't in the CEO inner circle. They're like the fourth ring out. That means that the security sell has to go through three others before it gets real organizational approval and, by that time, it's watered down to doing more phishing training."
Andrews then raised a critical question: Why do enterprises allow every business unit to decide on their own if something is overly risky, rather than the CISO?
"I've never seen any place that allowed each business unit to run its own network. So why are we allowing someone in marketing to accept a cyber risk that can impact every business unit in the org? Acceptance would mean ownership, and we all know that accountability never comes to cyber risk accepting business units. It's the CISO that takes the fall," Andrews wrote. "The CFO has final authority when it comes to financial risk and performance. You'll never hear a CFO say, 'Well, if you accept the risk, then you can do it.' This isn't something they do. As the chief they are the final authority and are held accountable for everything under their domain."
Learn Leadership Lingo
Why do enterprises give their CISOs so much less power than other C-level executives? This doesn't merely undermine the enterprise cybersecurity strategy. It can also have the indirect impact of lessening the security posture even more, as CISOs become gun-shy that they'll be overridden and start greenlighting efforts that they know should not be approved.
Barak Engel, CEO of security firm EAmmune and author of Why CISOs Fail, argues that much of this problem stems from Wall Street and other market forces. When major security breaches are announced, companies will sometimes see a dip in their stock price, but it's almost always very temporary.
"Breaches don't have long-term negative impacts. Stock prices recover fairly quickly," Engel says. "The CEO takeaway is that security doesn't matter after the first few months. But CISOs paint it as really scary, and CEOs are skeptical."
Although it has been said many times, Engel maintains that this harks back to CISOs not effectively communicating to the CEO — and business unit heads — in pure business terms.
"Just once I want to hear a CISO use the term 'cash flow,'" he says. "If all we hear from you are scary stories, then you haven't learned what it means to be a C-level. You have not adopted the language of the business."
Build Business Buy-In
Another part of the problem is the relative newness, at least on the CEO's strategic plate, of cybersecurity. The CEO suite at Fortune 500 companies has had generations of experience understanding and getting comfortable with risks and uncertainties that exist within legal, financial, human resources, incidence response, compliance, and other business units. But cybersecurity risk seems awkward and difficult to master to many CEOs.
"Most business risks are static, but cyber-risk absolutely is not," says Dirk Hodgson, director of cybersecurity for NTT Australia. "In cybersecurity, the risks are not universally agreed or clear. It may not be disrespect of the CISO as much as poor communications in a business context. There is a fundamental difference in expectations between cybersecurity and other business units. Until we fix that, we're going to be stuck in the same spot."
Vectra AI CTO Oliver Tavakoli argues that the nature of cybersecurity itself causes this issue. Even though the CISO is issuing regular memos to top executives about various issues, they are often ignored until a security emergency happens.
"Cybersecurity is only dealt with during a crisis. Almost always, that conversation is during a negative situation. That makes it very difficult to develop that rapport," Tavakoli says. "Most CISOs are stuck to being heroes to other CISOs and not to the rest of the C-suite."
Adds Brian Walker, CEO of cybersecurity consultancy the Cap Group: "It's all about authority and respect. If you have the authority and your boss doesn't back you up, then the CISO doesn't really have the authority."