A Chief Security Concern for Executive Teams
Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.
KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.
The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.
Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of these companies via LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).
But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.
Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.
Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.
“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”
Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.
“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.”
EXHIBIT A: EQUIFAX
Common or not, the dominant reporting structure in corporations runs the risk of having security concerns take a backseat when they get in the way of productivity, and often leaves the security team without someone to advocate for the proper budget.
Take the mega breach at Equifax last year that exposed the personal and financial data on 148 million people. Much blame has been placed on lax software patching practices at Equifax, but the cause of the intrusion was ultimately a people and organizational structure issue, argues Lance Spitzner, director of security awarness at the SANS Institute.
“When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched,” Spitzner wrote in a breakdown of a damning report released last week by lawmakers on the House Oversight committee.
But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.
The reason for this organizational divide? Spitzner notes:
“Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts. Since the two could not work together, the CSO was moved under legal. However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved. (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.) As a result, the CSO is now the CISO and that individual reports directly to the CEO at Equifax today.”
Indeed, despite its myriad security and management foibles since announcing its historic data breach last September, Equifax has apparently taken this particular lesson to heart. Prior to announcing its breach last year, a CISO or CSO was noticeably absent from the ranks of Equifax’s Corporate Leadership page. Not anymore. Here’s looking at you, Experian and Trans Union.
Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO or CISO reports to the CTO, or to the chief information officer.
“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Anthony Belfiore, chief security officer for insurance company Aon PLC, in a Wall Street Journal story this month about the rising prominence of security leaders at major companies.
Alissa Valentina Knight, senior analyst and colleague of Conroy’s at the Aite Group, said we’re in the middle of a changing of tides — where the CISO function once seen as a technology problem is now moving to a boardroom problem and bringing about a gradual shift in reporting structure.
“Historically, you’d see the CISO reporting to the CTO and despite the company having a CISO, that individual wasn’t listed on the company’s web site, [and] while they had an officer title, they weren’t given that privilege,” Knight said.
But she added that many companies — despite having a CISO — will not list them on their web site’s leadership team page, even when that reporting structure changes from the CTO to the CEO or Board of Directors.
“Some companies are even moving the cybersecurity function to report up through the CFO,” Knight said.
According to a survey released this summer by Accenture, two-thirds of companies said their chief executive and board of directors now have direct oversight of cybersecurity. The survey also found CIOs also had less control over cybersecurity budgets in 2018, 35 percent in 2017 to 29 percent this year, the survey found.
Companies can minimize conflict between the CSO/CISO and other top executives by having their security leader(s) report to the head of operations, or to the company’s general counsel, Belfiore told The Journal. For example, those that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts.
This post first appeared on Krebs on Security