CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings.
About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America.
“The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
Moody's identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.
“The greater proximity between the executive and CISO is credit positive and fosters greater awareness and understanding of cyber risk within an organization,” Libretti said. “It also typically translates into more support for increased budgets and resources.”
The CISO role has evolved in the years since the 2020 Sunburst supply chain attacks against SolarWinds and other companies, as well as the 2021 Colonial Pipeline ransomware attacks.
CISOs have taken on more scrutiny, too, including the prosecution of the former Uber CISO for covering up a ransomware attack and the SEC filing civil charges against the current SolarWinds CISO for allegedly misleading investors about the company’s cyber risks.
Major companies have given CISOs more visibility, responsibility and oversight responsibility. Their leadership particularly in light of the need for rapid threat hunting and disclosure stemming from the Securities and Exchange Commission's incident reporting rules and the coming Cyber Incident Reporting for Critical Infrastructure Act.
The SEC rules require companies to report material incidents within four business days of determining materiality. CIRCIA will require critical infrastructure providers, which includes more than 300,000 covered entities, to report major incidents to federal authorities within 72 hours of the incident. The final rule is expected to be ready in about 18 months.