Sponsored Content

Why it’s time for the CSO to report directly to the CEO

By Mark Logan, President and CEO, LogRhythm

In the wake of major breaches over the last few months, organizations across industries are re-evaluating their cybersecurity strategies, with many realigning priorities to ensure their security team and technology solutions can meet the needs of an evolving threat landscape.

Cybersecurity is a crucial element of an organization’s competitive advantage. However, IDG’s 2020 Security Priorities Report found that only 34% of top security executives at companies report to the CEO. If companies intend to take security seriously, they must realize that their chief information security officer (CISOs or CSOs) doesn’t just need a seat in the boardroom; they must directly report to the CEO. 

Former General Electric Chairman and CEO Jack Welch was one of the first Fortune 500 CEOs to have the HR director report to him, and this change revolutionized people management. Now, the same shift is happening with cybersecurity, which in just the past few years has gone from barely hitting the top ten list of priorities within many organizations to being one of the top three most important issues for company oversight.  

This type of management transformation is urgently needed for security leadership to be successful in protecting an organization’s invaluable data and reputation. Companies that fail to make this shift may be more exposed to this increasingly challenging cyberthreat environment.

Adopting a reporting structure that enables optimal business performance

Today’s cyberthreats are not limited to technology vendors. However, companies with a product that could also be breached can experience a snowball effect that exponentially multiplies the exposure, as seen with recent breaches.

Having the CSO report directly to the CEO demonstrates the value a company places on cybersecurity as an enabler of business performance at a time when cyber breach headlines are top of mind for the public and maintaining trust is crucial. This reporting structure also fosters trust among consumers and future business partners that security and data privacy is taken seriously and given the highest priority within the company. 

Recruiting and retaining the security team

Image Credits: LogRhythm

The shortage of skilled cybersecurity personnel continues to grow, making it incredibly competitive to fill these vital positions. The demand for properly trained workers can leave many security teams stretched thin, and executive leadership that fails to prioritize security will only add to the stress of the job. All of this can lead to the CSO position having a high turnover rate at organizations, which causes disruption that can impact an organization’s ability to mitigate risk. LogRhythm’s 2020 State of the Security Team report found that 75% of security professionals experience more work-related stress versus two years prior, and 57% of security teams surveyed felt that their security program lacked proper executive support.

Having the CSO report directly to the CEO shows the rest of their team that they are an empowered member of the organization. This means potential recruits and current employees will feel better supported by a leader who has the resources to handle employee needs in a way that enhances development and lowers attrition. 

Bringing this structure to life at LogRhythm

Many organizations struggle with “filtering,” which happens when a lack of optimization within the reporting structure leaves valuable security information lost in translation. For example, let’s say a CSO reports to a CIO who then reports to the CFO, and that person finally carries the message forward to the CEO. This can create bottlenecks and even lead to less budgetary and organizational support because the needs of the security program and the risk to the organization are mitigated through the drawn-out channels of communication. 

At LogRhythm, my direct reports, including the CSO, meet twice a week to discuss market trends, product strategies, and any key issues and challenges. Having the CSO be a part of these meetings allows him to inform the entire LogRhythm leadership team and me about the ever-changing cybersecurity landscape. We hear firsthand what is happening in the field and with our product. That cross-pollination is incredibly valuable.  

Looking ahead

The reality in today’s cybersecurity landscape is that if your organization doesn’t give its security platforms attention, malicious actors certainly will. Proactive measures start with making sure CSOs and their security teams feel like their voice is being heard and the unique insights they bring to the table are making their way to the entire leadership team. 

Despite a rising number of cyber breach events and new headlines almost every day, far too many enterprises still aren’t recognizing the urgency. Cybersecurity is now a board-level initiative for all companies, not just those in the software and security spaces. Enterprises that do not get on board with this shift in organizational structure that brings CSOs to the forefront stand to lose out on key talent. Perhaps more concerningly, they also stand to see a weakening of consumer trust and business value, especially if the organization ultimately experiences a damaging breach because security was not prioritized.