Nearly half of C-level executivesview the primary role of a chief information security officer (CISO) as being “accountable for any organization data breaches” – in other words, a scapegoat, according to a study by ThreatTrack Security. Seventy-four percent of respondents to the survey said they do not believe CISOs should be part of an organization’s leadership team. Additionally, 61 percent of the C-level respondents do not believe their CISO would succeed in a non-information security leadership position in the organization.
“At a time when enterprise security data has never been more important, the executive team is still keeping the CISO at arm’s length,” the report says.
Twenty-eight percent of respondents say their CISO has made cybersecurity decisions that have led to negative effects on the enterprise’s financial health, including lost business, decreased productivity or impaired service levels.
CISOs’ struggles for recognition as an enterprise security leadership role are an uphill battle. Only 27 percent of respondents believed their CISO contributes greatly to improving day-to-day security, and less than half believe CISOs should be responsible for cybersecurity purchasing decisions.
According to the report, “The perception that the role of the CISO exists primarily to take responsibility for data breaches is especially prevalent among retail (65 percent) and healthcare (55 percent) companies, which are among the most common targets of cyber-attacks.”