IT security executives are struggling to get access to top executives in the enterprise, with only 7% of cybersecurity leaders reporting directly to the chief executive officer, according to research from LogRhythm and the Ponemon Institute, released Tuesday.
Of the 1,426 infosec executives surveyed, 63% do not provide updates to the board of directors on security-related matters. Of those security leaders reporting to the board, 41% only address the board in the event of a security incident. Only 29% of respondents have a board-level committee dedicated to cyberthreats and related security issues facing the organization.
Among the respondents, 24% report to the chief information officer, 19% report to the director or manager of IT, 12% report to the chief technology officer, while 11% report to the VP of IT. The research is based on responses from an original sampling frame of more than 39,000 cybersecurity professionals from the U.S., Asia Pacific and the EMEA region.
A growing issue of security governance and accountability in the enterprise, particularly after so many high-profile ransomware attacks and data breaches in recent years led to changes within corporate structures.
Cybersecurity and IT have taken on a more critical role in the overall operations of organizations, particularly since major companies and government agencies switched to a work-from-home model more than a year ago.
"With cyberattacks growing in size and stature, businesses, governments and critical infrastructure are increasingly at risk," said Mark Logan, CEO of LogRhythm, which sponsored the research study. "But how is that risk represented at an organization level? Is it a priority for organizations?"
Three in five respondents said their organization experienced a cyberattack in the past two years, according to the research. About 42% of respondents said the IT security leader should be the one held most accountable for preventing or mitigating an attack.
The role of CIO and CISO have often come into conflict over who should take the lead in cybersecurity functions versus overall information security.
In some of the biggest enterprise breaches and cyberattacks in recent years, the role of IT security played a major role in how the C-suite and board of directors oversaw information security issues.
About 43% of respondents said their organizations value and effectively leverage the expertise of cybersecurity leaders, the research found. The study highlights an ongoing concern inside companies regarding the relative lack of value placed on cybersecurity.
If companies decide to move the role of the CISO outside of the IT structure, they should have specific goals in mind, Tom Scholtz, distinguished VP analyst at Gartner, wrote in an April research report.
In the years before the SolarWinds attack, the network security company failed to heed warnings from a key security executive that its internal practices made it vulnerable to attack. The company was relatively late in bringing in a designated IT security executive at the vice president level.