Security executives have taken on much more responsibility and visibility in recent years as threats to corporate information assets and physical resources have increased.
But do their titles--whether it's CSO, CISO, vice president of security or other C-level position--always come with the authority needed to achieve everything they are responsible for? If not, how much of a gap is there between these executives' responsibilities and their authority?
The short answer is, it depends on the organization and how it perceives the security function. The level of authority and influence that information security executives wield varies widely from organization to organization, says Steve Durbin, global vice president of the Information Security Forum, a nonprofit that provides guidance and best practices for all areas of information security and risk management. And at a great many enterprises, Durbin says, that authority and influence is not sufficient.
"If you look at some of the power players, the guys running security at the largest organizations, they say they do have the authority to at least accomplish what they are tasked with," Durbin says. "But a lot of organizations still don't get the importance of security," and that's reflected in how CISOs and other cybersecurity executives are treated when it comes to authority, budget control and other areas of management.
Recent research confirms that many organizations undervalue information security, Durbin says. For example, according to Ernst and Young's 2012 Global Information Security Survey, only about one quarter of the companies surveyed have given responsibility for information security to the CEO, CFO or COO--elevating it to a C-suite concern. And only 5 percent have information security reporting to the chief risk officer, the person most responsible for managing the organization's risk profile.
"Clearly there is a mismatch or a lack of understanding at the senior level of how important security is and the level of [authority] it needs to have within the organization," Durbin says. Information security executives might be partly to blame for this, he adds.
"In my experience, generally speaking, many security executives still find it difficult to effectively transmit their message to C-level decision makers," Durbin says. "They have not been able to align information security with business goals. The industry in general has tended to overuse the fear, uncertainty and doubt methodology to get budget, and to some extent that has damaged the role [of CISOs].
At many organizations outside the Fortune 500, the CISO role today "lacks the prestige to accomplish the information security goals the business requires," Durbin says.
"CISOs have got a difficult task on their hands; very many of them have come from technical backgrounds and up until recently have not been required to work as closely with the business or to communicate security issues in a language that the business easily understands," he says.
As a result, they continue to struggle for the budget and authority they need. "Many are suffering from lack of authority at a time when security has never been more important," Durbin says.
The implications of this are significant: organizations might not be adequately equipped to secure themselves against cybercrime, which continues to increase in sophistication and scope. At those organizations that lack a strong security authority, senior business leaders could end up making decisions without having sufficient information about threats and solutions.
One security executive, who did not want his name or organization identified, says he does not have the full authority to achieve all his goals directly, and thinks this is true of many of his peers in other industries. He says, "This is probably as it should be, since security is always the junior partner in any business enterprise."
The executive points out that organizational structures "differ everywhere, with the senior security official reporting to a variety of senior executives, from [human resources] to legal to operations. There is no standard solution for this and corporate culture will dictate how this is done."
One issue that the anonymous security executive has to deal with is the fact that there is no central security budget at his organization. Security is diffused throughout the organization, and so is the budget, he says. Since security is seen essentially as a service at every level in the organization, various elements of it are paid for through the budgets of a number of other departments.
The bottom line is that "enterprise security is an expense and does not generate revenue, so it can be an uphill battle to add things like extra staffing with all the loaded costs," the executive says.
Another challenge he faces is that the security function rarely encompasses both physical security and cybersecurity, "so these two essential security functions often do not coordinate all that well or receive the same attention from business leaders," he says.
Leaders are generally more comfortable with the more traditional field of physical security and feel much less at ease on the cyber side, the executive says.
"This means the IT staff becomes the de facto security chief for cyber, which is a little like the fox looking after the henhouse," he says.
"There ought to be a single executive in every organization who the boss can go to for all security solutions."
At some companies, particularly subsidiaries of large, global enterprises, the organizational structure of the business can limit the authority of security executives.
As CISO and IT risk leader at commercial finance provider GE Capital Americas, James Beeson has authority over decisions such as updating security software releases and tweaking security policies to make them stronger. But making larger-scale decisions on security strategy for the company is a more complex proposition.
"Within our business unit, I have the full support of senior leadership and the CIO to go get done what I have to get done in order to get us compliant" with parent company GE's security requirements, Beeson says. What he doesn't have the authority to do, he says, is make broad policy decisions that go beyond the confines of GE's overall security strategy.
The way GE is organized, the parent company has its own security department and leadership, as does its GE Capital unit and GE Capital Americas. The parent company and GE Capital each have CISO councils, of which Beeson is a member.
As a member, Beeson can suggest new technologies for the councils to consider and can recommend ways to strengthen security postures at the companies.
"I can influence those [councils], but not in terms of decision making and the authority to actually move things forward," Beeson says. He frequently has to go through the councils for approvals on key security technologies or major changes in security policy or procedures.
"My boss looks to me to oversee [security] for the GE Capital Americas business," Beeson says. "But I might not be able to pick a tool or technology or revise a policy. That's not so simple."
The Value of Security
Some executives are comfortable with the level of authority security chiefs have. "I believe that most companies do give their [CISOs and CSOs] the authority the achieve success," says Roland Cloutier, CSO at Automatic Data Processing (ADP), a provider of human resources, payroll, tax and benefits administration services.
"Authority does not mean unlimited resources or a yes' to every security, risk or privacy program they want to implement," Cloutier says. Rather, it's a workspace that understands the need for an executive security leader, provides mechanisms for professional input and collaboration, and promotes the opportunity for careful consideration of business-impacting issues, he says.
"Typically, if a company has made the commitment to staff a CISO/CSO-like position, [it has] taken a very important first step," Cloutier says. "Often it is the responsibility of that security executive to define success for their organization and develop and deliver the business impact efforts necessary to drive the results."
In Cloutier's experience, businesses that have difficulty taking a balanced approach to effective security typically have issues in either governance and oversight or segregation of duties.
"First, without an established authoritative executive oversight group that provides guidance to a security program, [then] prioritization, business alignment and cross-business visibility is very difficult to achieve," Cloutier says. "Those basic concepts are fundamental to the success of any given program, not just security."
Regarding segregation of duties, those security organizations that are operationally managed by a group that has contrasting ideas about security, risk or privacy functions often find themselves incapable of solving problems, thanks to management, financial or organizational issues.
"Here at ADP, we have taken great lengths [to implement] cross-divisional and corporate oversight alignment through an executive security council, and treat our security and privacy program like other risk organizations, as components of the office of the CFO," Cloutier says.
The company views its security, operational risk and privacy programs as elements of its overall risk position, Cloutier says. "In our governance, it is the office of the CFO that is responsible for maintaining ADP's overall enterprise risk posture, and so that is where the CSO position reports to," he says.
At companies where security is the main focus of the business, the security executive role takes on a huge importance. For example, at Websense, a provider of Web, email and mobile security technology, Chief Security and Strategy Officer Jason Clark not only oversees IT strategy and reviews all IT projects, but also is deeply involved in business decisions, including investments, market strategy and partnerships.
"My leadership extends across four individual areas -- and requires buy-in from the executive suite, IT, engineering, marketing and sales," Clark says. "I act as a voice of our customers during product development to provide a real-world perspective."
The security budget Clark controls is distributed between IT and marketing. "This process encourages internal collaboration across departments and frees me from administrative issues," he says. "This has also allowed me to build a unique team in the office of the CSO, which helps to further evangelize our processes. We are free to actually implement the many internal and external security ideas that we create, and more efficiently prioritize these with other organizational demands."
Websense's CIO handles the operational side of its IT security while Clark oversees the strategy and projects.
"It's a strong relationship that allows me to use my business and security expertise to advise executives on successful strategies to improve their IT infrastructure and more effectively secure our organization."
A New Look
In the coming months, many organizations will change the way they look at security and how it is managed within the enterprise, and the CISO role will evolve, Durbin says. CISOs must refocus security to take their organizations from crisis response and compliance mode to proactive risk management, he says.
This is already happening at some businesses. Durbin cites a bank that is splitting up the CISO role among multiple individuals, each responsible for different segments of the company. They work as a team that reports to the COO, ensuring C-level support.
"There's another organization I know of where security now reports through to the chief strategy officer," Durbin says. "I like that because security then has alignment with strategy." At a third company, in the media industry, the CISO works on a consultative basis with the business, taking on security projects as needed. This enables to the CISO to showcase his expertise in security in addition to helping the company meet its business goals, he says.
In fact, the role of CISO is likely to morph into more of a consultative function, Durbin says. "CISOs will need to be consultants and salesmen," he says. "They need to be able to look into the business strategy and then sell the appropriate concepts of how to manage information security risk in a consultative fashion."
In time, "we may see the arrival of a new [position] at the board level, like chief digital officer, someone responsible for managing the organization's role in cyberspace and who naturally oversees all cybersecurity matters," Durbin says.
Regardless of how things pan out for security executives, organizations need to take steps to strengthen the security function.
"There is clearly a gap; the question is, how do we bridge it?" Durbin says. "As we move more into the cloud, mobile technology and social media, it's especially incumbent on businesses to understand the risk."
Bob Violino is a freelance writer and editor. He can be reached at firstname.lastname@example.org.