One in five chief information security officers report directly to their CEO. Andy Ellis says that's not nearly enough.
“It’s really about being in the room where it happens,” says Ellis, operating partner at YL Ventures, an American-Israeli venture capital firm that specializes in cybersecurity investments. Ellis has personal experience in the field, previously as chief security officer at cloud and security firm Akamai Technologies for nearly a decade.
Ellis asserts that the CISO must have a seat that’s level with leaders who manage IT, legal, and finance and that by working directly with the CEO, a company’s top cyber expert can be empowered to strategize with a cyber-first mindset when a business pursues new ventures, rather than cleaning up messes after they occur.
If for some reason the CISO is unable to report to the CEO, the next best person is the chief technology officer, according to Ellis. A survey by YL Ventures, based on interviews with 50 cybersecurity executives, found that roughly 16% have that reporting structure in place. A quarter of CISOs report to the chief information officer, which Ellis says creates “unhealthy tension.”
That’s because the roles don’t neatly overlap and could result in conflict when a CISO is trying to implement cybersecurity governance across a company’s entire technology stack, while at the same time, their boss may only oversee enterprise IT.
Ellis then makes a controversial call. He says with so much technology being outsourced to vendors, startups are finding they don’t even need a CIO any more, as software management and gadget services can be easily handled by an IT director. The CIO, he argues, is “not a C-level position anymore.”
Gerhard Eschelbeck, CSO at autonomous trucking startup Kodiak Robotics, says he reports to the CEO because cybersecurity is more than an IT issue; it is an enterprise-wide business consideration. “We have seen a major shift towards cybersecurity being an executive-level topic, and the CISO should be driving these discussions,” says Eschelbeck.
What may be holding CISOs back from a more prominent C-suite role is that they are overly focused on saying “stop” to ensure adequate security protocols. CEOs aren't keen to hear "no" when they want to move forward with an exciting new venture.
CISOs should also be bolder and more precise about the data they report to the C-suite and board. Ellis says the industry lacks standardization in metrics and that the details they do share, like how many employees clicked on a suspicious link, aren’t particularly insightful. That would be like the finance department sharing how many people had a mistake in their expense report.
“It needs to come up a level and it needs to be more consistent and more actionable,” says Ellis, who advocates for CIOs to have “a little more moral courage to be able to stand up and say how we’re building our technology stack is the problem. People are not the problem.”
Mandy Andress, CISO at search software provider Elastic, says generative AI is being used by bad actors to increase the volume of threats, such as phishing emails, and their sophistication. In response, Elastic has improved “real and engaging” training, she said, which includes creating awareness videos that feature actual employees rather than generic corporate cartoon characters.
YL Ventures’s report also found that 43% of respondents are increasing their cybersecurity budgets in 2024. Nearly 26% reduced cybersecurity spending, while 23% kept spending flat. But with big data breaches recently affecting AT&T, car dealership software provider CDK Global, and as many as 165 customers of business software maker Snowflake, the question remains: Is that spending enough?
“Probably not,” says Ellis, who blames cautious spending on a choppy economy and the presidential election year. “Next year, I think people will have a lot more certainty and these budget numbers will move up.”
John Kell
Send thoughts or suggestions to CIO Intelligence here.
