Summary: The role of CISOs and other cybersecurity executives is gaining more influence and importance as companies recognize the need for strong cyber governance and oversight.
Threat Actor: N/A
Victim: N/A
Key Point :
- About 90% of cybersecurity managers now report to a top-level company executive, compared to 62% in 2021.
- A higher percentage of cybersecurity executives now report directly to company CEOs.
- CISOs and other cybersecurity managers are providing more frequent cyber briefings to the CEO.
- There is a more regular cadence of CISOs providing updates to the C-suite and board of directors.
- About 40% of cyber managers conduct monthly meetings with their CEO.
- The increased proximity between executives and CISOs fosters greater awareness and understanding of cyber risk within organizations.
- This increased proximity also translates into more support for increased budgets and resources.
- The role of CISOs has evolved since major cyber incidents like the SolarWinds supply chain attack and the Colonial Pipeline ransomware attack.
- CISOs have faced increased scrutiny, including legal action against former Uber and SolarWinds CISOs.
- The need for rapid threat hunting and disclosure has given CISOs more visibility, responsibility, and oversight.
- The Securities and Exchange Commission (SEC) incident reporting rules and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) have further emphasized the importance of CISO leadership.
- The SEC rules require companies to report material incidents within four business days of determining materiality.
- CIRCIA will require critical infrastructure providers to report major incidents to federal authorities within 72 hours of the incident.
CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings.
About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America.
“The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.
“The greater proximity between the executive and CISO is credit positive and fosters greater awareness and understanding of cyber risk within an organization,” Libretti said. “It also typically translates into more support for increased budgets and resources.”
The CISO role has evolved in the years since the 2020 Sunburst supply chain attacks against SolarWinds and other companies, as well as the 2021 Colonial Pipeline ransomware attacks.
CISOs have taken on more scrutiny, too, including the prosecution of the former Uber CISO for covering up a ransomware attack and the SEC filing civil charges against the current SolarWinds CISO for allegedly misleading investors about the company’s cyber risks.
Major companies have given CISOs more visibility, responsibility and oversight responsibility. Their leadership particularly in light of the need for rapid threat hunting and disclosure stemming from the Securities and Exchange Commission’s incident reporting rules and the coming Cyber Incident Reporting for Critical Infrastructure Act.
The SEC rules require companies to report material incidents within four business days of determining materiality. CIRCIA will require critical infrastructure providers, which includes more than 300,000 covered entities, to report major incidents to federal authorities within 72 hours of the incident. The final rule is expected to be ready in about 18 months.
Source: https://www.cybersecuritydive.com/news/ciso-gains-corporate-cyber-risk/712684/
“An interesting youtube video that may be related to the article above”