Security executives have taken on much more responsibility and visibility in recent years as threats to corporate information assets and physical resources have increased.
But do their titles—whether it's CSO, CISO, vice president of security or other C-level position—always come with the authority needed to achieve everything they are responsible for? If not, how much of a gap is there between these executives' responsibilities and their authority?
The short answer is, it depends on the organisation and how it perceives the security function. The level of authority and influence that information security executives wield varies widely from organisation to organisation, says Steve Durbin, global vice president of the Information Security Forum, a nonprofit that provides guidance and best practices for all areas of information security and risk management. And at a great many enterprises, Durbin says, that authority and influence is not sufficient.
"If you look at some of the power players, the guys running security at the largest organisations, they say they do have the authority to at least accomplish what they are tasked with," Durbin says. "But a lot of organisations still don't get the importance of security," and that's reflected in how CISOs and other cybersecurity executives are treated when it comes to authority, budget control and other areas of management.
Recent research confirms that many organisations undervalue information security, Durbin says. For example, according to Ernst and Young's 2012 Global Information Security Survey, only about one quarter of the companies surveyed have given responsibility for information security to the CEO, CFO or COO—elevating it to a C-suite concern. And only 5 percent have information security reporting to the chief risk officer, the person most responsible for managing the organisation's risk profile.
"Clearly there is a mismatch or a lack of understanding at the senior level of how important security is and the level of [authority] it needs to have within the organization," Durbin says. Information security executives might be partly to blame for this, he adds.
"In my experience, generally speaking, many security executives still find it difficult to effectively transmit their message to C-level decision makers," Durbin says. "They have not been able to align information security with business goals. The industry in general has tended to overuse the fear, uncertainty and doubt methodology to get budget, and to some extent that has damaged the role [of CISOs].
At many organisations outside the Fortune 500, the CISO role today "lacks the prestige to accomplish the information security goals the business requires," Durbin says.
"CISOs have got a difficult task on their hands; very many of them have come from technical backgrounds and up until recently have not been required to work as closely with the business or to communicate security issues in a language that the business easily understands," he says.
Sign up for CIO Asia eNewsletters.