All companies must take cybersecurity seriously, especially when they collect and store large amounts of customer data. Cybercrime is the biggest threat to every company in the world. Boards of companies around the world understand this and have worked to increase the frequency of their communications with Chief Information Security Officers (CISO) within their organization.
A recent report from Ponemon showed that 60 percent of CISOs have a direct channel to the CEO in case of cyber incidents. 50 percent of them still report to the CIO. The role of the CISO has really grown and matured over the years. They have a broader role today than they did just ten years ago when their main objective was to identify and remedy treats. Today, CISO’s are responsible for managing the cybersecurity crisis itself and dealing with the consequences of that crisis once the threat has ended.
Cyber attacks present a huge risk for any business. The penalties associated with allowing nefarious groups to gain access to vital customer data, both regulatory and in terms of PR, means that all companies should work to secure and react to cybersecurity threats in real time.
Risk and Threats
The CISO position is moving up org charts because their role within companies is simply becoming more prominent as companies deal with increased cyber threats with each passing year. Companies know the huge risks that come with storing and transferring vital data and they want to ensure that they have a person in place who is not only competent but well-connected within the organization so that they can get the resources that they need.
Here are a few statistics that help to display the importance of cybersecurity today.
- A 2015 report estimated that by 2021, cybercrimes will cost businesses more than $6 trillion per year worldwide.
- Kaspersky Lab estimates that businesses experience a ransomware attack every 40 seconds.
- According to Symantec’s 2017 Internet Security Threat Report, 1 out of every 131 emails is malicious.
- Your average attack isn’t detected right away, or even quickly in most circumstances. According to CompTIA, the average attacker stays inside a network for an average of 146 days before they are detected.
The trend here is clear — cybersecurity is becoming increasingly important to businesses of all sizes, and with that, the CISO position is taking on a bigger role within companies. More is expected of them. They require higher levels of communication and access to effectively do their jobs. More often, CISOs are reporting to CEOs and other c-level executives simply because the stakes are so high when it comes to cybersecurity. Historically, they have been two-steps removed from CEOs and reported to CIOs. That is beginning to change in many organizations.
Respond to Threats Quickly
Your cybersecurity teams are going to be well first in your incident response plans. They should know exactly what they need to do in the event of an attack or incident, who they should report to, and how they will go about handling the issue. However, do other people within your company have an understanding of how this works? How many of them even know who your CISO reports to?
Responding to a threat as quickly and effectively as possible is critical for reducing harm and being able to reliably deal with threats as they arise. This requires your entire organization to be on the same page — not just your cybersecurity division. Often, individuals outside of that department will still have a role to play in your incident response plan, even if that role is simply just providing necessary information.
“A CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business,” says Richard Wildermuth, director of cybersecurity and privacy at PwC.
Including your cybersecurity management on your org chart and making them visible to the rest of your company can help them to better understand the relationships, who they report to, and how important they are within your organization. Your CISO must be empowered to protect the business. To do so, they need to be able to respond effectively to issues as they arise.
The trend is for cybersecurity divisions to move up on org charts and become more prominent figures within companies. There may come a day when your CISO or a member of your cybersecurity team needs people in other departments to work with him and help him to quell a threat — those people need to know to take their instructions seriously and drop whatever they are working on to facilitate the fix.
A New Type of C-Level Exec
The CISO has always been a very unique position when it comes to c-level executives. However, their increased importance within organizations has dictated that they report directly to higher level executives, often surpassing the CIO for the CEO. This unique structure is one that puts many CISO’s on part with other c-level positions that they were typically viewed as lower than.
There are other workarounds, too. The Chief Risk Officer (CRO) is another reporting option that has increased in popularity over the last few years. A key concern for any business that has a gap between the CISO and CEO is that the opinion and the facts aren’t changed or altered before making their way to the CEO. Having a CRO there to help facilitate the transfer of this information can help CISO’s to focus on the risk and mitigation aspects of their job, while others focus on the communication aspects.
A Position With Growing Responsibilities and Importance
The CISO position and cybersecurity departments, in general, are becoming more vital in the daily operations of every business. As companies face increased cyber threats, these departments are the frontline soldiers, used to protect their vital data assets and networks. Companies are constantly under a barrage of cyber attacks, and CISO’s play a critical role in protecting the companies that they work for. As a result, they have been moving up the totem pole and many report directly to the CEO these days, giving them a more prominent role on org charts.