More than half of organisations in the 2017 CIO 100 reported they had detected a security breach in the previous 12 months, while an overwhelming 82% expected to see an increase in budget specific to security to tackle the cyber threat.

The 2017 CIO 100 research also revealed CISOs and equivalent information security leaders overwhelmingly had reporting lines into the CIO function, which security researchers suggested might not be the best structure for all organisations. [Also read: Chief Information Security Officer salary, job description and reporting lines]

More than half of CIOs who responded, at 55%, said they had detected a security breach over the past 12 months - a small increase compared to 51% of the 2016 CIO 100. The 2015 figure was 56% suggesting the small changes were of little statistical significance compared to the bigger picture of the range of organisations - large, smaller, public, private and non-profit - tackling daily cyber threats.

Of the 18% which did not expect a budget increase specific to security to tackle the growing cyber threat, more than half were public sector or non-profit organisations.

Security collaboration

CIO of the Group Security Function at Barclays, Elena Kvochko, called on all organisations and sectors to work together to secure their businesses.

"We believe that it is in the best interest of industries to collaborate to secure the internet, since it is highly interdependent," she said. "Working collaboratively to ensure the continuous and uninterrupted flow of the businesses should be an intrinsic part of security and overall trust fabric that help companies remain poised to react to incidents, regardless of their nature."

Responding to a question about the role of Chief Information Security Officers - or equivalents - at their organisations, the 2017 CIO 100 revealed 70% of organisations had a security leader reporting into the CIO function.

In 4% of organisations they reported elsewhere, at 5% of organisations they were a peer to the CIO, some 4% of CIOs declared they were the person responsible for this role, while 11% responded this was covered by another role in the CIO's IT department.

A further 6% responded they either did (3%), or did not (3%) have a separate CISO or equivalent at their organisation.

CISO reporting lines

Security strategist at Trend Micro, Bharat Mistry, said that it was positive more organisations were employing CISOs, but that it was "unfortunate" that the role did not have a direct reporting line to the CEO.

"Until recently IT security teams have taken the heat for security breaches but times have changed," he told CIO UK. "Increasingly when a company is breached the pain is felt in the boardroom as organisations are often hit with huge fines, reputational damage and even lawsuits.

"This change is leaving executives very concerned; they want assurances that systems are fully secure and they are fully compliant against the regulations they face. Hence as indicated by the research we are now starting to see more CISOs being employed by organisations but unfortunately more than half still report directly to the CIO.

"However, in reality cyber risks need to be communicated to the board and directly to the CEO as the person directly responsible for the organisation. The problem in the past is that CISOs that have come from a technical background have not been able to communicate cyber risk to the board in a language that the board understands, hence there has been a buffer between the CISO and the board."

Physical and information security

Barclays Group Security Function CIO Kvochko however said reporting lines were a red herring compared to the bigger fish of the growing remit of the role.

"Enterprises rely on the cutting-edge technologies to deliver their services," she said. "This very strength is also a vulnerability that is constantly under attack. Therefore, regardless of who the CISO reports to, they should have to have a holistic view of the enterprise and the spectrum of the threats.

"Today, many large enterprises operate in silos at organisational, operational, and technological levels. In order to mitigate and remediate security vulnerabilities, recognise patterns, reduce operational gaps, improve collaboration, efficiency and react in real time, CISOs need to enable an integrated end-to-end response. At Barclays, we redefined the way we think about security and focus on ‘security' as a whole to deliver such integrated service."

Back in 2012, Trend Micro's Rik Ferguson said that it was a "conflict of interest" having a CISO reporting to a CIO.

"The person responsible for ensuring organisational information security cannot be subordinated to the person responsible for technology selection and implementation," he explained. "Rather the two should operate as a team, driving operational and information security up the boardroom agenda - neither one being able to pull rank on the other."

Last month in the government's Cyber Security Breaches Survey, 46% of organisations had identified at least one breach or attack in the last year, with 74% of UK directors responding that cyber security was a high priority. Figures of those reporting breaches increased to nearly seven in 10 for large organisations.

While it is broadly seen as positive that CIO 100 organisations expect an increase in budget to tackle the cyber threat, in the light of the global WannaCry ransomware attack which caused significant disruption to the NHS, security leaders said that basic hygiene should be the main focus.

Basic cyber hygiene

Ciaran Martin, CEO of the National Cyber Security Centre, said: "UK businesses must treat cyber security as a top priority if they are to take advantage of the opportunities offered by the UK's vibrant digital economy.

"The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities."

Brian Lord, the former GCHQ Deputy Director for Intelligence and Cyber Operations, said that good cyber security practice did not need to be expensive, and called on the vendor community to change its ways.

"All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions," Lord said.

"The reason breaches are growing is because companies aren't protecting themselves properly, because they are being made confused by the cyber security vendors. A ‘cyber mythology' has been created by the industry, to sell unnecessarily expensive solutions through fear. All recent high profile cyber-attack incidents could and should have been prevented with relatively low-cost solutions.

"It isn't either expensive or complicated to understand and manage these risks."


Join CIOs, CTOs, CISOs and IT director peers at IDG's SecurIT event at The Shard in London on Wednesday 21 June