Does Your Title Match Your Authority?
Security executives have taken on much more responsibility and visibility in recent years as threats to corporate information assets and physical resources have increased.
Tue, February 04, 2014
CSO — Security executives have taken on much more responsibility and visibility in recent years as threats to corporate information assets and physical resources have increased.
But do their titles--whether it's CSO, CISO, vice president of security or other C-level position--always come with the authority needed to achieve everything they are responsible for? If not, how much of a gap is there between these executives' responsibilities and their authority?
The short answer is, it depends on the organization and how it perceives the security function. The level of authority and influence that information security executives wield varies widely from organization to organization, says Steve Durbin, global vice president of the Information Security Forum, a nonprofit that provides guidance and best practices for all areas of information security and risk management. And at a great many enterprises, Durbin says, that authority and influence is not sufficient.
"If you look at some of the power players, the guys running security at the largest organizations, they say they do have the authority to at least accomplish what they are tasked with," Durbin says. "But a lot of organizations still don't get the importance of security," and that's reflected in how CISOs and other cybersecurity executives are treated when it comes to authority, budget control and other areas of management.
Recent research confirms that many organizations undervalue information security, Durbin says. For example, according to Ernst and Young's 2012 Global Information Security Survey, only about one quarter of the companies surveyed have given responsibility for information security to the CEO, CFO or COO--elevating it to a C-suite concern. And only 5 percent have information security reporting to the chief risk officer, the person most responsible for managing the organization's risk profile.
"Clearly there is a mismatch or a lack of understanding at the senior level of how important security is and the level of [authority] it needs to have within the organization," Durbin says. Information security executives might be partly to blame for this, he adds.
"In my experience, generally speaking, many security executives still find it difficult to effectively transmit their message to C-level decision makers," Durbin says. "They have not been able to align information security with business goals. The industry in general has tended to overuse the fear, uncertainty and doubt methodology to get budget, and to some extent that has damaged the role [of CISOs].