Skip to main content
close search
site logo
Dive Brief

Infosec execs still lack direct access to the CEO: study

Published June 22, 2021
David Jones's headshot
Reporter
A man looks at lines of code depicted on a computer screen
sestovic via Getty Images

Dive Brief:

  • IT security executives are struggling to get access to top executives in the enterprise, with only 7% of cybersecurity leaders reporting directly to the chief executive officer, according to research from LogRhythm and the Ponemon Institute, released Tuesday. 

  • Of the 1,426 infosec executives surveyed, 63% do not provide updates to the board of directors on security-related matters. Of those security leaders reporting to the board, 41% only address the board in the event of a security incident. Only 29% of respondents have a board-level committee dedicated to cyberthreats and related security issues facing the organization. 

  • Among the respondents, 24% report to the chief information officer, 19% report to the director or manager of IT, 12% report to the chief technology officer, while 11% report to the VP of IT. The research is based on responses from an original sampling frame of more than 39,000 cybersecurity professionals from the U.S., Asia Pacific and the EMEA region.

Dive Insight:

A growing issue of security governance and accountability in the enterprise, particularly after so many high-profile ransomware attacks and data breaches in recent years led to changes within corporate structures. 

Cybersecurity and IT have taken on a more critical role in the overall operations of organizations, particularly since major companies and government agencies switched to a work-from-home model more than a year ago. 

"With cyberattacks growing in size and stature, businesses, governments and critical infrastructure are increasingly at risk," said Mark Logan, CEO of LogRhythm, which sponsored the research study. "But how is that risk represented at an organization level? Is it a priority for organizations?"

Three in five respondents said their organization experienced a cyberattack in the past two years, according to the research. About 42% of respondents said the IT security leader should be the one held most accountable for preventing or mitigating an attack.

The role of CIO and CISO have often come into conflict over who should take the lead in cybersecurity functions versus overall information security. 

In some of the biggest enterprise breaches and cyberattacks in recent years, the role of IT security played a major role in how the C-suite and board of directors oversaw information security issues. 

About 43% of respondents said their organizations value and effectively leverage the expertise of cybersecurity leaders, the research found. The study highlights an ongoing concern inside companies regarding the relative lack of value placed on cybersecurity. 

If companies decide to move the role of the CISO outside of the IT structure, they should have specific goals in mind, Tom Scholtz, distinguished VP analyst at Gartner, wrote in an April research report. 

In the years before the SolarWinds attack, the network security company failed to heed warnings from a key security executive that its internal practices made it vulnerable to attack. The company was relatively late in bringing in a designated IT security executive at the vice president level. 

Filed Under: Leadership & Careers

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Leadership & Careers
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell