The narrow gap between CEO, CIO and CISO roles means no single executive function is stepping up to take responsibility for cyber security, a study shows.
A lack of cohesion at the top means organisations are struggling to secure the most important digital assets, a report reveals.
Responsibility for cyber security is not falling to any one senior executive function, according to the 2018 Risk:Value report from NTT Security.
Variation in who people view as responsible
The report, based on a poll of 1,800 senior decision makers from non-IT functions in global organisations in 12 countries, shows that at a global level, 22% of respondents believe the CIO is “ultimately responsible” for managing security, compared with 20% for the CEO and 19% for the CISO.
In the UK, fewer respondents point to the CIO (19%) and CISO (18%) while the CEO gets the biggest vote at 21%. The US (27%) and Norway (26%) buck the trend with more than a quarter of respondents suggesting the CEO is responsible, while in Singapore, 33% say it is the role of the CISO, which is highest figure across all countries.
“Responsibility for day-to-day security doesn’t seem to fall on any one particular person’s shoulders among our response base,” said Azeem Aleem, vice-president consulting and UK&I lead, NTT Security.
“This narrow gap between the roles of CIO, CEO and CISO shows that no one executive function is stepping up to the plate,” he said. “It could be a sign of unclear separation between the CIO and CISO though, as often they are the same or collaborate closely.”
Security is still lacking in sufficient priority
According to the report, although more people see the need for regular boardroom discussions about cyber security, their organisations are failing to raise it sufficiently at the C-suite level. While 80% of all survey respondents agree that preventing a security attack should be a regular boardroom agenda item (up from 73% a year ago) only 61% say that it already is, which represents an increase of just 5% on last year.