If there’s anyone who is close to the pulse of security, it’s Brian Krebs. In one of his recent articles, he discusses how organizations discuss how very important information security is, and yet there is a distinct lack of mention of positions overseeing information security on executive leadership pages.
We did a little digging into Brian’s data and expanded on some of the points he highlighted. W found the following percentages of the top 100 organizations citing roles that may also be in charge of information security:
- Chief Information Security Officer – 5%
- Chief Technology Officer – 35%
- Chief Information Officer – 21%
- Chief Risk Officer – 25%
The good news is 56% of organizations had one or more of these roles listed on their website.
Additionally, the following roles are also not fully represented:
- Human Resources – 69%
- Marketing – 30%
Now, to be clear, Brian’s not saying these organizations don’t have a head of information security – a quick search for, say, Apple’s CISO yielded multiple pages on the web (none of which are on Apple’s website) referring to George Stathakopoulos, Apple’s Vice President of Corporate Information Security. What he is pointing out is the lack of organization’s thinking the head of their information security is a worthwhile position enough to post on the leadership page.
Brian’s article does raise the question – do organizations really see information security as a priority?
The presence of a person in charge of information security within an organization – whether cited on a webpage or not – is definitely a leading indicator. Another is the spend dedicated to protecting the organization’s information. According to a 2018 Cyber Resiliency report by global risk advisory firm Willis Towers Watson, average spend on cyber-resilience and information security is about 1.7% of revenue, with 73% of organizations stating they believe their spending should increase.
As we shift out of 2018 – a year full of attacks, information breaches, information held for ransom, and massive changes in attack techniques – it’s time for organizations to take the need for information security seriously, and ensure someone is put in charge of the call to protect your organization’s data.