You Get Nothing! You Lose! Good day, Sir!
(Originally posted on LinkedIn on August 27th 2014)
“You get nothing! You Lose! Good day, sir!”
In the midst of reading article after article out there concerning the importance of the CISO and how they should be strategic leaders, I came across a dismaying survey. The survey addresses the respect given to CISOs by their C-Level peers.
Let's examine a few of the findings here:
- 74% of the respondents felt that the CISO didn’t deserve to be part of the organization’s leadership team;
- 61% didn’t think their CISO would succeed in a non-information security leadership position and further expounded by saying that they didn’t possess the broad awareness of organizational needs and objectives outside information security (68%);
- Only 27% believed their CISOs are actually contributing to improving security;
- 28% commented that their CISOs have made decisions that have had a negative impact on company financials in terms of lost business and decreased productivity.
Juxtapose this with:
- 52% of CEOs believe that the CISO is responsive for security incidents.
- 62% of CEOs view cyber security purchasing decisions as part of the CISO’s role.
More alarming, still, is this information in conjunction with a report by Bain & Company in February 2014 that notes a 22% increase in the time to detect and resolve security breaches as well as a 6% increase in the average financial impact of each breach.
The take away here is clear - a vote of no confidence from the CISO’s peers. Of course, I’m sure if the CISOs of these same organizations were asked the same questions the results would have been quite different and here in lies the problem.
For years we, as information security professionals, have expounded our “knowledge of the business” and how we provide value to the company. We meet and tell each other this much like a support group, but in the end this message isn’t resonating with our peers in the C-Level suite.
Honestly, this study isn’t anything new that we didn’t know. We’ve simply been kidding ourselves that our efforts were being seen and appreciated. We knew when budgets were cut, headcount denied, and doors were shut when yearly strategy sessions were being held that this was the case. This isn’t a movie: Willy Wonka isn’t going to pop up and tell us he was testing us.
So, the challenge is clear. How do we demonstrate our right to have a seat at the table over and above the old rhetoric that is clearly falling on deaf ears? Feel free to weigh in below.