New Numbers Reveal Disconnect Between CEOs, Boards, and Cybersecurity Managers
Security services firm LogRythm has released a report (see logrhythm.com/making-security-priorities-business-priorities/) indicating that, despite a majority belief that lead cybersecurity officials should report directly to their organizations’ chief executive officers, that isn’t happening. Given the extent to which companies rely upon technology to conduct business while protecting their resources and customer data, an inability to directly communicate should a security incident occur could prevent a timely response to a threat. The LogRythm report revealed that, on average, cybersecurity managers are three levels removed from their CEOs.
Adding to the communication issue, LogRythm also determined that organizational management may often be operating under a misconception that their technical security leaders fully understand their companies’ business goals. One way this lack of understanding affects IT security managers is budget management. LogRythm found that many cybersecurity managers lack complete control over their departments’ budgets and are required to go through approval processes before allocating funds to acquire new resources. If they’re not made aware of management’s plans and goals far enough in advance, they likely will lack the funding needed when changes occur.
LogRythm’s research revealed that management in 60% of organizations surveyed believed their CEOs and cybersecurity managers should maintain direct lines of communication. Respondents cited the need for the CEO to be immediately made aware of any security issues that may arise. This would expedite the response to the threat and help to ensure that other stakeholders within the organization were kept abreast of the situation. Unfortunately, LogRythm reported that 93% of cybersecurity managers polled do not report directly to their CEOs. In fact, on average, they were three links apart in the communication chain. Delays in threat response created by a requirement to communicate through channels could put resources at risk.
Regarding budget management and allocation, LogRythm’s research found that 77% of cybersecurity managers were not given complete control over their budgets. They were required to obtain the approval of organizational management before allocating funds to acquire the resources needed to secure their environments and resources effectively. Adding to the problem, although 64% of cybersecurity managers said they go to their management boards seeking approval for budget allocations, representatives of 63% of organizations surveyed said their budgets end up being insufficient to meet their needs in any case. This means that, in most of these companies, cybersecurity personnel does not have the funds to sufficiently protect their resources. It also means that, in many cases, organizational managers know they aren’t providing all of the funding needed.
More consequences result from a lack of communication.
In the 93% of companies surveyed where cybersecurity managers are not afforded direct lines of communication with their CEOs, 54% of those managers reported that they either address their boards of directors only once per year or when security issues arise. LogRythm reports that 46% of senior organizational leaders surveyed believed that their cybersecurity managers understood their organizations’ business goals. This seems unlikely given the seemingly limited opportunities they are afforded to discuss those goals.
Organizational goals such as those relating to expansion, opening new locations, adding services, and potentially expanding into regulated areas of operation must be communicated to cybersecurity leaders, so they are not caught unaware. They must be given sufficient notice to seek out and evaluate new technology that will be needed, plan for changes in the environment, create budget proposals, and expand employee security training programs, all while dealing with emerging threats, evolving attack vectors, and newly-discovered vulnerabilities. For the 77% who lack full authority to control their security budgets and expenditures, sufficient advance notice is critically important.
CEOs and boards of directors must consider the potential consequences of an inability to timely respond to a security incident such as a data breach or ransomware attack simply due to the structure of their chain of command and communications restrictions. Cybersecurity leaders must be able to communicate directly with C-level management when the need arises. IT security managers must also be kept aware of changing and evolving organizational plans and goals so that they can plan accordingly and have time to implement needed changes and safeguards within the environment. CEOs and boards of directors may wish to consider granting more budgetary control to cybersecurity managers so that, when needs arise, they can be addressed without unnecessary delays. And lastly, cybersecurity leaders should emphasize to organizational management the need to improve communications and, if needed, to exercise more control over their budgetary resources.