Just 8 percent of cybersecurity heads at US financial firms report to the chief executive officer directly and more should do so to help facilitate decision-making, according to the Financial Services Information Sharing & Analysis Center.
The industry group’s first-ever survey on the topic showed that 39 percent of chief information security officers report directly to the chief information officer, followed by 14 percent who said they answer to the chief risk officer.
Before the 2008 financial crisis, most risk chiefs didn’t report directly to the CEO, reflecting a lack of influence at the biggest banks just as the industry was piling on more risk. After the crisis, risk managers had considerably more clout.
“Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making,” the group said in a statem-
ent accompanying the survey, to be published on Monday.
The most critical defense against cyberattacks is employee training, according to 35 percent of those surveyed, ahead of network defense and infrastructure upgrades (25 percent) and breach prevention (17 percent). Protective measures on a firm’s computer system can still fail if a worker clicks on a link or downloads an email attachment carrying malicious code.
A majority of respondents, 54 percent, said they send quarterly reports to their companies’ boards, while 18 percent said they do so twice a year and 16 percent annually. The survey was conducted in the fourth quarter of last year, with 102 chief information security officers responding.