Where's the CISOs? - missing from more than a third of Fortune 500

News by Mark Mayne

Shocking new report finds that not only are many major enterprises missing a CISO, but also security strategy roles and data protection mission statements are also absent.

An astonishing 38 percent of the 2019 Fortune 500 do not have a chief information security officer (CISO), according to a damning new report.

Of this 38 percent only 16 percent (30/190) have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security. Only four per cent of the 62 percent majority that do indeed have CISOs actually list the role on their company leadership pages. 

A separate report by Brian Krebs found the situation even worse on a a global basis with just five percent of the top 100 companies having a CISO.

In addition, the Bitglass report found that 77 percent of the Fortune 500 do not mention on their websites who is responsible for security strategy, and 52 percent do not have any language relating to customer or partner data protection.  

"Corporate social responsibility initiatives have made it onto the websites of the Fortune 500, but research has shown that the same level of importance is not being given to publicly demonstrating commitment to cybersecurity initiatives," said Anurag Kahol, chief technology officer of Bitglass. "Lax security and its resulting breaches have long-term repercussions for organisations as well as their customers, shareholders, partners, and other stakeholders. Members of the Fortune 500 should be focused just as much on protecting personal data and consumer privacy as they are on other areas of social responsibility."

The report from Bitglass, ‘Cloudfathers Fortune 500 Cybersecurity Report’ scanned the websites of Fortune 500 companies for key cyber-security phrases, job titles and security mission statements. 

Levels of engagement with security practices varied widely by industry vertical, with aerospace, finance and technology firms considerably outpacing peers in the hospitality, construction and oil and gas industries. 

The transportation industry segment of the Fortune 500 sees the vast majority (57 percent) of its companies listing an executive as responsible for cyber-security strategy, while aerospace industry (33 percent) and the insurance industry (30 percent) rank second and third. A massive 89 percent of organisations in the aerospace industry provide detail about data protection for their customers and partners, followed by finance (72 percent) and technology (66 percent).

However, none of the Fortune 500 hospitality companies listed a cyber-security strategy executive at all, and this poor performance was echoed in the manufacturing and telecommunications industries, which managed a mere eight per cent and nine per cent respectively. Construction, oil and gas, and hospitality industries all managed to provide details about how they protect customer and partner data - in 25 percent of cases. 

Although Europe-wide regulations such as GDPR require enterprises that process large volumes of customer data to internally nominate a Data Protection Officer (DPO), there is no stipulation that they should be publicly visible. 

In an Opinion article by Sean Duca, regional chief security officer for Asia Pacific, Palo Alto Networks, to be published by SC Media UK later this month,  Duca comments: "If a company isn’t able to see cyber-security as a strategic business investment, it will not involve the people responsible for cyber-security as part of the strategic team. Equally, if those at the forefront of cyber-security are not part of the executive team, the organisation won’t have the knowledge or commitment to treat cyber-security as a strategic investment."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews