As a result, they continue to struggle for the budget and authority they need. "Many are suffering from lack of authority at a time when security has never been more important," Durbin says.
The implications of this are significant: organizations might not be adequately equipped to secure themselves against cybercrime, which continues to increase in sophistication and scope. At those organizations that lack a strong security authority, senior business leaders could end up making decisions without having sufficient information about threats and solutions.
One security executive, who did not want his name or organization identified, says he does not have the full authority to achieve all his goals directly, and thinks this is true of many of his peers in other industries. He says, "This is probably as it should be, since security is always the junior partner in any business enterprise."
The executive points out that organisational structures "differ everywhere, with the senior security official reporting to a variety of senior executives, from [human resources] to legal to operations. There is no standard solution for this and corporate culture will dictate how this is done."
One issue that the anonymous security executive has to deal with is the fact that there is no central security budget at his organization. Security is diffused throughout the organization, and so is the budget, he says. Since security is seen essentially as a service at every level in the organization, various elements of it are paid for through the budgets of a number of other departments.
The bottom line is that "enterprise security is an expense and does not generate revenue, so it can be an uphill battle to add things like extra staffing with all the loaded costs," the executive says.
Another challenge he faces is that the security function rarely encompasses both physical security and cybersecurity, "so these two essential security functions often do not coordinate all that well or receive the same attention from business leaders," he says.
Leaders are generally more comfortable with the more traditional field of physical security and feel much less at ease on the cyber side, the executive says.
"This means the IT staff becomes the de facto security chief for cyber, which is a little like the fox looking after the henhouse," he says.
"There ought to be a single executive in every organisation who the boss can go to for all security solutions."
At some companies, particularly subsidiaries of large, global enterprises, the organisational structure of the business can limit the authority of security executives.
As CISO and IT risk leader at commercial finance provider GE Capital Americas, James Beeson has authority over decisions such as updating security software releases and tweaking security policies to make them stronger. But making larger-scale decisions on security strategy for the company is a more complex proposition.
Sign up for CIO Asia eNewsletters.