Accenture study reveals that Chief Information Security Officers within enterprises are lacking authority and visibility to affect change.
The Chief Information Security Officer (CISO) within an organization has responsibility for developing and establishing cyber-security strategies and policies. Yet according to a new study from Accenture Security, many organizations don't give CISOs the resources they need and few CISO have the required influence within enterprises to affect change.
The Securing the Future Enterprise Study Today- 2018 report was released on July 10 and is based on a survey of 1,460 C-level executives. Among the highlights of the 36-page report is that 73 percent of respondents agree that cyber-security staff and activities need to be dispersed throughout an enterprise, yet 74 percent noted that cyber-security today is largely a centralized activity.
"The biggest surprise in our survey was the fact that fewer than one-third of CISOs and business leaders collaborate on a cyber-security plan and budget," Ryan LaSalle, managing director, North America Lead, Accenture Security, told eWEEK.
LaSalle added that the study also found that only 40 percent of CISOs say they always confer with business-unit leaders to understand the business before proposing a security approach.
"This tell us that that better alignment is needed earlier in the process between the C-suite and CISOs to reduce future cyber risks," LaSalle said. "It's a two-way street, of course - so as CISOs convey key cyber risk in more business relevant terms, they become more valuable to business leaders and more effective at guiding decision making."
Of particular note, the study also found that CISOs have limited capabilities to influence business units across their organizations. LaSalle said that CISOs lack of organizational influence is due to many factors, including a lack of understanding of cyber-risks among business executives and sometimes, a failure by CISOs to take the initiative to collaborate.
"For example, only 38 percent of business leaders bring the CISO into all discussions at the beginning stage of considering new business opportunities - so you cannot influence where you are not aware," LaSalle said. " Additionally, enterprise security professionals often only have responsibility for defending Enterprise IT - while the attackers and the business owners are engaged across many points of the company's value chain."
LaSalled added that Accenture's research found that most respondents agreed with the idea that some kind of high-level role is needed to be a bridge between security and business units. He said that if CISOs cannot continue to evolve their roles and relationships, they will not be able to have the impact the business needs.
One of the areas identified in the Accenture report as being a gap in cyber-security is cloud computing. 74 percent of survey respondents noted that cloud services raise organizational cyber-risk, yet only 44 percent said that cloud technology is protected by their existing cyber-security strategy.
"While many security organizations have established cloud security and cloud governance programs, the gap is most likely attributed to business adoption moving more rapidly and across more dimensions than security can sustain," LaSalle said. "Cloud providers have significant security capabilities that can be deployed at the enterprise's discretion, but nearly half of CISOs acknowledge that their responsibilities for securing the organization are growing faster than their ability to address security issues - hence the gap."
LaSalle said that Accenture's research shows that CISOs are well established in large companies yet few have the authority and visibility they need to influence business units and build cyber-resilience into their strategy.
"For CISOs to function as sought-after collaborators and trusted partners they need to work closely with business units to protect and enable the growth initiatives envisioned by top leadership," LaSalle said. "Cyber-security is also everyone's responsibility and companies must also spread knowledge among all level of employees by implementing regular awareness training tailored to individuals' roles."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.