Conventional wisdom suggests that the costly data breaches at Target, Home Depot, JPMorgan, and elsewhere have elevated information security concerns to the highest echelons of corporate America and are driving major improvements in security practices.
But the results of two separate surveys highlight a somewhat more nuanced reality.
The breaches and resulting losses have made security a higher priority on the corporate agenda. But a disconnect still appears to exist between the security function and senior leadership at many companies. What's more, many corporate boards seem nonchalant about the risks their organizations face from information security failures such as the ones that have hit Sony Pictures, Anthem, and others in recent months.
In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months.
In fact, just a quarter of the respondents said senior management viewed security as a strategic priority while the remaining 75 percent said they viewed it as a necessary cost.
The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy while barely 25 percent said their boards were involved in reviewing and privacy risks to the their organizations.
The results of the Raytheon survey suggest that the massive attention generated by the data breaches have not really moved the needle a whole lot on attitudes toward information security at many companies.
But, a separate soon-to-be published survey by International Data Corporation (IDC) showed information security professionals themselves having a slightly more optimistic view of their present lot and where they were headed. A majority of the 269 security professionals polled by IDC claimed the attention paid to security within their organization has increased in recent times and has had a positive effect on their organization’s overall security posture.
About 42 percent of the chief information security officers, or CISOs, said they reported to their company’s board of directors on a quarterly basis and more than 6 in 10 said the frequency of their interaction with board members had actually increased in recent months.
While those findings are somewhat in contrast with the more meager results in Raytheon’s survey, the two reports are similar in other aspects. Few CISOs for instance, still directly report to the chief executive despite the heightened importance of the information security function. Only 14 percent of the respondents in the Raytheon survey and 15 percent in the IDC survey said the CISO function reported directly to the CEO.
Another vexing factor uncovered by IDC was the fact that larger companies are much less likely to have a CISO directly reporting to the CEO than in smaller companies.
The results suggest that while organizations say they are headed in the right direction, many at the highest-levels still appear to view a data breach as something that only happens to others, says Jack Harrington, vice president of cybersecurity and special missions at Raytheon.
“The Target hack was very interesting,” Mr. Harrington says. “It raised awareness across the entire retail industry certainly,” he said. But at that time, the number of CISOs that Target had ever hired was zero, he noted. “That tells you they felt they didn’t even need that position. They just didn’t feel at risk.”
The apparent disconnect between the security organization and senior management highlighted in the survey suggests that the same attitude continues to persist at many companies, said Mr. Harrington.
IDC analyst Pete Lindstrom said much of what is reflected in the surveys lies in the interpretation. “Some of this is really framing how you want to say it,” he says. “You could look at it as a glass half-full, glass half-empty kind of thing.”
The fact that only 15 percent of CISOs still directly report to the CEO might appear depressing to some. But another 50 percent report to an executive that is just one layer removed from the CEOs, which isn’t entirely bad, said Mr. Lindstrom. Over the next three years that number us expected to reach 75 percent.
Security organizations and security executives that claim they do not get the attention they need, should assess their approach to risk management to see why that might be the case, Lindstrom said.
“It is the business oriented risk-reward folks who succeed,” not the paranoid ones, he said.