Despite mounting concerns over data breaches and the growing sophistication of the threat landscape, top management at most organizations still don't appear to view cybersecurity as a business-critical function.
A survey of 1,426 security professionals recently conducted by the Ponemon Institute for LogRhythm found just 7% of organizations represented in the survey had security leaders reporting directly to the CEO. The remaining 93% have their security leaders reporting to other executives, including the chief information officer (24%), director or manager of IT (19%), chief technology officer (12%), vice president of IT (11%), or chief revenue officer (9%).
Far from being close to the CEO, the survey shows the average security leader is, in fact, three levels removed from the chief executive, making it challenging for them to clearly articulate enterprise security risks to top leadership. Most security leaders don't have a direct relationship with the CEO and the board, even though they have complete ownership or significant influence over their organizations' cybersecurity budgets. Respondents to the LogRhythm/Ponemon survey reported an annual security budget of $38 million, or roughly 24% of their organization's average IT budget of $159 million.
"Cybersecurity leaders have assumed more accountability and risk but struggle to achieve the desired security posture because they are not as influential as other members of their peer group," says Mark Logan, CEO of LogRhythm.
Going into the survey, LogRhythm expected to find many CEOs were still failing to recognize the importance of the cybersecurity function, Logan says. Even so, the fact that only 7% of security leaders report directly to the CEO was surprising, he says.
"That is an extremely low percentage considering cybersecurity is a critical business function," he says.
The issue of top management not giving the cybersecurity ..
Support the originator by clicking the read the rest link below.
