Businesses still don't value CISOs, survey finds

The continuing rift between IT security professionals and 'the business' has been highlighted by a new study that shows many organisations still attach little value to cyber security - even though they know the threat is growing.

Businesses still don't value CISOs, survey finds
Businesses still don't value CISOs, survey finds

The Turnkey Consulting survey finds that one in six IT security pros believe their organisation sees security merely as “an unnecessary expense only undertaken to keep auditors happy”. And only about one-third (37.5 per cent) of organisations view IT security as “an essential business practice that can deliver ROI” – down from 43.9 per cent the year before.

This is despite the fact that over two-thirds of enterprises (71.8 per cent) recognise that the IT security risks they face from external sources have increased.

Richard Hunt, managing director of Turnkey Consulting, said: “It is concerning to see that IT security is still not perceived to be an integral part of the business.”

But CISO representatives say they are “not surprised” by the findings.

Tim Holman, president of the ISSA UK user group, told SCMagazineUK.com via email: “It's not surprising to hear any IT professional think this way, where there is often a lack of top-down cyber security support in the organisations they represent. What's more alarming is that given the increased reality of external threats, business owners and boards are still reluctant to take cyber security seriously, and often see it as a grudge purchase.”

Holman insisted: “Good CISOs aren't cheap, but worth every penny in articulating cyber security risks at a board level. The techies at the coalface are rarely seen as influential, but that doesn't mean businesses should ignore them, as they perform a valuable and obvious front-line defence against cyber attacks.”

But he qualified this, saying that while “businesses need to start listening to the professionals they employ, professionals also need to start talking to the businesses, and in language they understand”.

Amar Singh, chair of the Security Advisory Group of industry body ISACA UK and interim CISO, agreed that security professionals need to work harder to get their message across.

He told SCMagazineUK.com: “Part of the problem with IT and ‘the business' has always been the inability of the IT professional to properly relate to and explain the business imperative. The more you call it ‘IT security' the less the business imperative - ‘IT security' remains an IT problem.”

Richard Hunt at Turnkey focused on how CISOs can change the perception of security

“It is important that change management activities are undertaken to ensure employees throughout the organisation understand their individual responsibilities when it comes to IT security,” he told SCMagazineUK.com.

 “An element of basic awareness training should be undertaken in any company which should be followed up with regular reminders. The form these reminders take will vary, as a newsletter will be well-read in one company where an intranet site is more effective in another.”

The survey, ‘A Risk Perspective on 2014', also found that 38.2 per cent of the organisations responding had experienced a fraud incident, up from 31.3 per cent the previous year. Likewise, 30 per cent had experienced a data loss that affected business operations, up from 17.1 per cent.

The researchers questioned 55 IT professionals, all SAP software users involved in security and controls activities.