CISOs still have a long way to go in gaining respect

Only the most stuck-in-their-ways companies don’t view cybersecurity as a real and alarming threat to their organizations. But a new survey shows the people in charge of that security are often not thought of as worthy of a leadership role. 

Opinion Matters and ThreatTrack Security recently took the pulse of top C-level executives at a variety of organizations. When asked about the role of chief information security officers (CISOs), many didn’t have glowing reviews.

Among the findings:

  • 74% of respondents said that CISOs didn’t have what it takes to be part of the organization’s leadership team, and
  • 61% of executives didn’t think CISOs would thrive in a role outside of information security.

CISOs and the budget

Security pros can definitely affect a company’s bottom line – for better or for worse. And nearly one-in-three (28%) of executives thought their company’s CISO had made security decisions that negatively affected the company’s bottom line.

Strange, considering that less than half (46%) of companies were even comfortable letting CISOs make security purchasing decisions.

Overall, it’s telling that more than a third (35%) of companies rated their CISOs as average – or worse.

Building a reputation

You can’t turn around a company’s perception quickly. It takes time.

But gaining a better reputation with higher-ups is entirely possible. Here are some steps you can take to go about changing their minds:

  • Trumpet successes. The old line on the CIA applies to IT, too: “Your successes are unheralded, your failures are trumpeted.” But even taking the simple step of briefing higher-ups or the officers you report to can go a long way toward making them see that security is important and worth trusting to the experts.
  • Suggest proactive solutions. The easiest time to suggest a security improvement is after a breach or incident, but that’s also the time it’ll be most damaging to your reputation. Explain to other decision-makers why defensive measures are worth investing in. Then, if there is a breach at another organization, report on what steps you already have in place to prevent a similar incident from hitting you – and where you could stand to improve.
  • Make it personal. The group most targeted for cyberattacks is the same group you’ll be reporting to, the top brass. Take a special interest in their security training and preparations, and use that message as a vector for explaining why security overall is so valuable.