Following up on my January 21, 2019 BlogInfoSec column on “Management-Technology Alignment,” I read a couple of disturbing articles confirming the problem and describing other effects of the failure of communications between information security professionals and senior management in their organizations.
A Forbes article, dated February 15, 2019, by Davey Winder with the title “Cybersecurity Mental Health Warning—1 in 6 CISOs Now Medicate or Use Alcohol,” available at https://www.forbes.com/sites/daveywinder/2019/02/15/cybersecurity-mental-health-warning-1-in-6-cisos-now-medicate-or-use-alcohol/#436366523c0c  describes the distressing situation in which many CISOs find themselves. Winder claims that:
“Stress is undoubtedly playing a part as far as the decline in mental health of the modern CISO is concerned …So, where does this stress that is hitting the CISO so hard come from? Largely the lack of engagement with the C-Suite and the board would appear to be the answer.”
Winder closes with the following exhortation:
“A cultural change needs to happen at board level, Russell Haworth [CEO of Nominet] insists, adding ‘to really empower security leaders, cybersecurity must be reclassified as a strategic, business-critical function and have a solid seat at the table instead of the current lip service many appear to be paying it.’”
I have maintained throughout my InfoSec career that CISOs should not report to CIOs, many of whom see information security as a handicap rather than an enabler, but they should be on an equal footing with internal audit and risk management and should report directly to the board, bypassing senior management. Certainly, the information security budget should not come out of the IT budget but be separately funded.
Another February 15, 2019 article, “Five emerging cybersecurity threats you should take very seriously in 2019,” by Alison DeNisco Rayome, which is available at https://www.zdnet.com/article/five-emerging-cybersecurity-threats-you-should-take-very-seriously-in-2019/  , presents a somewhat more positive view. The article quotes Sam Olyaei of Gartner as follows:
“Today, not only are business leaders and the business community understanding cybersecurity, they know it’s important to their business outcomes and objectives. The problem is, there is still a lack of understanding as to why it is important … Firms must work to bridge the gap between communicating the technical aspects of cybersecurity and the business outcomes, such as customer satisfaction, financial health, and reputation.” [Emphasis added]
What are we missing here?
The reality is that the goals and the motivations of information security professionals and business management (and lawmakers, for that matter) are very different and, unless we find a way to align these goals, the gap will continue to widen. Unless and until senior managements and boards of directors are held personally, and even criminally, liable, if shown to have been negligent in their cybersecurity efforts, we won’t see much of a change. It was done for Y2K, and it worked. Now is the time to put the ultimate responsibility where it should be … with executive management … and then the necessary support of CISOs might be forthcoming.