CISOs breaking free from IT control, missing board support

Some of the UK's chief information security officers (CISOs) are breaking away from IT budgets and reporting lines but are still missing C-level support, a new study reveals.

CEOs and CISOs must share blame for data breaches
CEOs and CISOs must share blame for data breaches

IT consultancy Company85 recently conducted a study of 50 UK CISOs on their information security practices to gather their thoughts on everything from compliance and breach responsibility to security awareness training. The CISOs voted anonymously on such matters with Blackberry phones at an event in Knightsbridge, London last month.

The subsequent ‘Realtime Maturity Survey' was published recently and it makes for interesting reading, not least on where information security sits within an organisation.

Speaking at a briefing on the findings, Phil Cracknell, head of security and privacy services at the consultancy, told SCMagazineUK.com that information security has traditionally been “feeding off the scraps of the IT budget” and said that this often correlates to where CISOs reported (often either the CIO or CTO).

But the study showed some improvement in this area with, three in four CISOs (74 percent) now having a dedicated budget for information security. “I would suggest that is progress,” Cracknell added at the time.

Approximately 95 percent of respondents said that their organisation had their own dedicated information security function, while there appears to have been a shift in reporting lines too.

Just under one in three CISOs (29 percent) said that they reported to the main board, another 29 percent said the CTO and almost half – 42 percent – would go to the CIO. No respondents in the study said that they reported to the CFO – although there is reportedly some traction in the area, specifically in the telco and financial service sectors, while five respondents said that they either reported to the chief risk officer or general counsel.

David Prince, cyber security director at reputation defence firm Schillings, said on the findings: “CISO's need to work with the business to determine the most effective positioning of the security function that ensures appropriate visibility of risk across business. This often means that CISO's need to stand on their own two feet outside of IT”.

His comments were echoed by other senior IT managers at the briefing, who pointed to the chief information officer (CIO) once reporting to the chief operation officer (COO). One CISO in attendance, working in the technology field but who wished to remain anonymous, said that he had a ‘direct line' to his company's chairman.

Board sees infosec as unnecessary cost

Despite these findings, getting board level support appears to be a somewhat trickier operation. In the study, 81 percent of CISOs said that they believed information security was seen as a ‘corporate cost centre' at their organisation, rather than a business enabler.

The trouble, according to those speaking to SC at the event, is that most boards do not appreciate the cyber security risks and therefore see such investments as a drain on their annual budgets.

“High-profile events are the best enabler to get security on the agenda. Maybe we need a few more sunken ships,” suggested Cracknell.

Schillings' Prince agreed adding that such events can be the “water cooler conversation” that leads onto more serious discussions with the board.

CISOs, he says, must work with the business to determine what assets are most important. “They need to know what to protect and they should get that from the business,” said Prince.

He anticipates a ‘new generation of CISOs who understand the language of business' but stressed the need for ‘softer skills' so that CISOs can communicate properly. “If we report directly to the business, we need to do it justice.”

Speaking shortly after the report was published, independent cyber security consultant Dr Jessica Barker said that an increasing number of her clients are reporting to the board or financial director, a change she said is ‘hugely positive'.

She said that reporting to those with money often resulted in change, but added that there are still many other firms that see information security as a ‘sunk cost'.

“If the person with the money wants this then it often means something – those organisations don't tend to see it as a cost but rather as an investment. But there are still a lot of companies that see [cyber security] as a sunk cost that they're not going to get a lot of benefits from,” Barker told SC.