K logix Research Finds Competitive Advantage, CEO Access, Peer Collaboration and a Desire for Better Communication with the Board Are Emerging Trends Among CISOs
CISOs are struggling to define their role with the Board, are seeing more face-time with the CEO and also are leaning on their peers for information sharing and networking more than ever before, according to a recent research project conducted by K logix, a data security company. These trends emerged after many interviews with CISOs across all industries, including financial services organizations, healthcare companies, the public sector, retail and consulting.
1. CISOs know security is a business enabler and they are working to make an impact. Fifty three percent of CISOs state that one of their main objectives is to align security with business goals while 46 percent want to partner with business leaders to help them solve problems.
Long stymied by a reputation as “Dr. No” as Dr. JR Reagan, CISO at Deloitte put it, security teams have had to battle an outdated reputation that casts them as drags on productivity. It is not always easy for CISOs to convince others in the company that security can be more than an operational defense system and an actual business enabler. Michael Newborn, CISO at Bloomberg BNA, originally met resistance when he let other leaders in the company know one of his main goals was to advance the business. The initial reaction from some of his peers was, ‘we don’t need you to focus there. Just make us secure.’ But Newborn was able to show how security could actually impact business goals, which helped set the foundation for how his team would work with other business units to achieve their priorities.
Some CISOs go one step further, and believe that security can be a real competitive advantage for their organizations. “Today security is a real business enabler, and proves to be a competitive advantage,” says Darrell Keeling, CISO at retailer Land’s End. He believes that CISOs who perform due diligence to accept appropriate risks and instill thorough processes can impact the business in a manner equal to revenue.
2. Reporting into the CEO. Today more than half of CISOs report to the CIO, and just 15 percent report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50 percent of CISOs responded that the role will report into the CEO.
Why is a structural move necessary? Some CISOs felt that reporting into the CIO introduced a conflict of interest as security teams assess the risks of specific technology systems and often recommend that technology be used to address the risk. Phil Curran, who reports into the Compliance Department as Chief Information Assurance and Privacy Officer at Cooper University Hospital, is one security leader who believes as much. His group reported into the CIO at first, but found that structure limited their ability to effectively communicate risk to other business units. He states, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”
Other CISOs believe that the CEO needs to hear directly, and more frequently, about risk. Damian Laviolette, the CISO at Webster Bank reports into the CIO. He says, “The CISO needs to educate the CEO on cyber security as it relates to business risk. CEOs need to understand security at their level, and they need their CISO to be a right-hand-man.”
While most CISOs still report into the CIO, it is notable that more experienced professionals – those with more than one CISO title on their resume – are the ones most likely to report into the CEO today. It seems that when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization. Steve Bartolotta, CISO at Community Health Network of CT., and formerly CISO at Yale New Haven Hospital, is a good example. He states, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”
3. CISOs have Face-time With the Board, But Desire More Two-Way Communication. 92% of the CISOs we have spoken with report some level of interaction with the Board. Many reported that they have either a quarterly or annual update in front of the Board, and others are called in front of their Board when incidents within the company, their industry, or the news pique the Board’s interest in the security program.
Nearly all respondents suggested they would prefer more strategic, two-way communication with the Board. Newborn, of Bloomberg BNA, stated that the company does not have a traditional Board of Directors, but that his interaction with senior leadership is limited, “I have their support and I have a process to communicate our risk posture on a monthly basis, but we need to be more engaged in two-way communication about the strategic direction of the company and security.”
4. CISOs are in this together – peer networking, mentorship programs and associations prove valuable. CISOs are fighting many challenges – from a lack of executive awareness, to advanced cyber threats, limited budgets and inaccurate perceptions of the role. It is no wonder that they have become each other’s best advocates, supporters and collaborators. All of the CISOs, regardless of industry, mentioned that peer networking, conferences, and industry associations are vital to their own growth. Jim Routh, now the CISO at Aetna, learned this lesson early. Years ago, in his first CISO role at a major financial organization he called upon three senior CISOs from other organizations to help him build a presentation for the Board. Routh took that experience to heart and now regularly mentors other CISOs who are newer to the role.
Information sharing, even among competitors, is common and vital. Daniel Conroy, CISO of Synchrony Financial said, “The Financial Services Information Sharing and Analysis Center (FS-ISAC) plays a key role in [information sharing] and is serving as the primary channel for receiving timely cyber security threats notifications. All financial services organizations need the Internet to be secure because we need consumers and businesses to feel safe about their private data. It is in the best interests of us all to share cyber threat information to maintain a safe and secure Internet experience for all businesses and consumers.”
About the Author
Kevin West is CEO of K logix, a data security company headquartered in Brookline MA. To read more in-depth profiles of the CISOs quoted in this article, please visit www.klogixsecurity.com/blog