CISOs today are often expressing the same frustration as CIOs in the 1990s: They have critical information but aren’t being heard.
Chief information security officers (CISOs) today have replaced chief information officers (CIOs) as the most under-valued C-level executives. In fact, according to research from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), nearly one-third (29 percent) of corporations today still do not have a CISO role or its equivalent. And for those that do have such a role, the CISO is often relegated to “glorified administrator” status, rather than strategic business enabler.
This is why CISOs are almost always fired or “resign” after major data breaches. When shareholders and customers demand blood following a breach, the CISO is the sacrificial lamb, even if there is no realistic way the CISO could have prevented the breach under the operating circumstances (which could include insufficient budget, headcount, and business visibility). This is often a self-defeating act, since the CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.
In many ways, the plight of today’s CISO mimics that of CIOs in the 1990s. Back then, the CIO stereotype among business executives was “the guy crawling around under the desk connecting cables.” And, like today’s CISO, the CIO was only noticed when things went wrong. Today, CIOs have taken their rightful place in the boardroom as digital business has become a key driver to business strategy across industries. According to an IDC survey, at the end of 2017 two-thirds of Global 2000 CEOs had digital transformation at the center of their corporate strategy. (As Domino’s Pizza CEO Patrick Doyle has famously said, “We are a tech company that happens to sell pizza.”)
However, enterprises have been slow to embrace security as an enabler of this digital transformation. Of those enterprises that have a CISO role, only 44 percent of the ESG/ISSA survey respondents indicated their CISOs had an adequate amount of interaction with CEOs and boards of directors. As a result, CISOs today are often expressing the same lament as CIOs in the 1990s: “I can’t get a seat in the boardroom.
