There’s a problem at the top. In too many organisations, responsibility for cybersecurity is muddled. Or even worse, it’s being assumed by the wrong person. Given escalating threat levels, the complexity of security environments and increasingly acute regulatory challenges, there’s an urgent need for clear reporting lines and a foregrounded role for the CISO.
With strong leadership at the top, it becomes easier to build that much-needed security culture organisation-wide, engrained by design and default into everything people do.
Confusion reigns
NTT Security’s most recent Risk:Value report was distilled from interviews with 1,800 non-IT business decision makers across the globe. It paints a confusing picture. Globally, 22% believe the CIO is ultimately responsible for managing security — slightly ahead of both the CEO (20%) and CISO (19%). In the UK, the biggest number of respondents believe the CEO (21%) is in charge, followed by the CIO (19%), with the CISO again in third place (18%). In the US (27%) and Norway (26%) even more respondents voted for CEO leadership in security.
We can deduce a couple of things from these findings. First, the CISO is still not viewed as a standalone leadership role, and second, executives are really split over who’s in charge. In fact, with the hiring of Data Protection Officers (DPOs) by many organisations to comply with the GDPR, responsibilities could become even more blurred.
Part of the problem may be that in many organisations the CISO still reports in to the CIO. This is starting to change. According to the CIO100 survey the number of CISOs who are seen as peers of the CIO more than tripled, from 5% in 2017 to 16% this year. But our findings show there’s still a lack of clarity on the separation of powers between CIO and CISO.
Whatever happens, organisations should not be handing responsibility for the cybersecurity function

View Entire Article on