Survey: Only 1 in 7 CISOs has access to CEO

The disconnect between chief information security officers and the executive suite, while narrowing, remains dangerously wide, according to a new survey that found only one in seven CISOs report directly to their CEO.

The survey, administered jointly by ISACA and the RSA Conference, asked 461 senior information security and cybersecurity professionals — 79 percent of them at the management level — to gauge the security climate in their enterprise. More than two-thirds, 69 percent, worked for an organization with more than 1,000 employees, spanning a breadth of industries across North America and Europe, with a small margin of respondents based in Africa, Latin America, Oceania and Asia. 

As a baseline, only 75 percent of respondents are confident in their team’s ability to detect and respond to incidents -— a 12 percent dip from last year. That 75 percent falls to 60 percent, when the incident is anything beyond simple.

The survey found that 74 percent of security professionals are anticipating a cyberattack on their organization in 2016, while 30 percent currently stave off phishing attacks on a daily basis. The vast majority, 82 percent, indicated that their company boards are concerned about cybersecurity.

Fifty-nine percent of respondents that said fewer than half of cybersecurity candidates were “qualified upon hire,” underscoring a widening skills gap that has caused cybersecurity vacancies to linger at most companies — 27 percent said that jobs had gone unfilled for up to half a year for lack of qualified candidates.

Another issue plaguing security professionals is situational unawareness, which has roots even among the top levels of enterprise security. Nearly a quarter, 24 percent, of security professionals did not know if any user credentials had been stolen in 2015. The same proportion weren’t sure which threat actors had exploited their companies, while 23 percent couldn’t say whether an advanced persistent threat attack had been mounted against them.

“The lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking,” said Ron Hale, chief knowledge officer of ISACA. “Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce.”

The survey also polled participants on the expected security impact of new trends in tech — artificial intelligence and the Internet of Things. Fifty-three percent said IoT would exacerbate risks by expanding attack surfaces, while 62 percent thought AI would pose a risk in the long term and the short term.

“While there are signs that C-level executives increasingly understand the importance of cybersecurity, there are still opportunities for improvement,” said Jennifer Lawinski, editor-in-chief of online engagement for the RSA Conference. “The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue. This survey highlights the discrepancy to provide an opportunity for growth for the infosec community in the future.”