Security report: CISO's get little respect

Michael Kassner
Updated
Security report: CISO's get little respect

ThreatTrack Security released an IT security report and it focuses on how C-level executives regard the role of CISO primarily as a target for finger-pointing in the event of a data breach, and most of the ranking executives have little faith that a CISO could hold other leadership positions.

Eye-opening statistics

Let's take a closer look at the ThreatTrack Security report. The report was the end product of an independent blind survey of 203 US-based C-level executives - including CEOs, presidents, CIOs, COOs, CFOs, general counsels, chief legal officers, and chief compliance officers in organizations that also employ either a CSO and/or CISO. The survey was conducted by Opinion Matters for ThreatTrack Security in June and July this year.

Some of the resulting statistics:

● 74 percent said they do not believe CISOs deserve a seat at the table and should not be part of an organization's leadership team.

● 54 percent believe CISOs should not be responsible for cybersecurity purchasing.

● 44 percent believe CISOs should be accountable for any organizational data breaches.

● 28 percent said their CISO has made cybersecurity decisions that negatively impacted the organization's financial health.

Regarding the survey, Barb Darrow of Gigaom brought up an interesting point in her post Oh, boo hoo. CISOs get no respect from their C-suite peers . "To be sure, being in charge of security can seem like a no-win situation already. Speakers at a recent CIO conference at MIT said that security execs always have to justify their budgets," Darrow said. "If there's no breach at all, that money is seen as wasted. And if there is a breach, that money is also seen as wasted. Where do you go with that sort of attitude?"

Attitude is unchanged

For several weeks following the report's release in July, emotionally-charged missives (more often than not containing references to Rodney Dangerfield) traversed the internet. What I sense from discussions since then is that little has changed. Case in point, I submit The most unpopular person in the room , a post written, this past month, by Raj Samani, EMEA CTO of McAfee.

Samani was asked to speak at several conferences about the Internet of Things. Working for McAfee should betray what concerns Samani. "Throughout the entire week, I was referred to as the policeman," mentions Samani, "because I would keep asking whether security and privacy controls were implemented."

Another example where Samani defends the tenets of digital security is this BrightTalk video (eight-minute mark). There is little doubt who is pro security and who is not.

Attempting to understand the discord

In his post, Samani explains that everyone is working toward the same end game -- producing a good product. The difference is the amount of emphasis placed on security during the product's development. Those conscious of security are more likely to assess the potential risks right from the product's inception and continue evaluating security through final production. Samani said, "This approach will reduce the likelihood of that new product being part of a compromise demonstration at the next security conference."

There is the flip side though. Those calling Samani the "heat" feel attempting to mitigate all security risks is impossible, and trying to do so impedes today's fast-paced development cycles, acts as a barrier to innovation, and affects the bottom line in a bad way.

Those widely disparate attitudes fuel the debate and "us against them" attitude. The thing hurting security managers is that there are more of them. Not ready to admit defeat by any means, Mr. Samani ended his post with this thought, "Being unpopular is not a problem. Living in a world without trust in the systems we depend on is."