It’s slightly shocking to learn that only 47% of organizations have a formal CSO/CISO role. As security breaches continue to be a major business issue, one would think that targeted and skilled senior security executives would be prevalent at all organizations; however our 2017 Security Priorities study proved otherwise. The role is widely seen among enterprise organizations (organizations with 1,000+ employees) with 66% stating they have a CSO/CISO, while only 24% of SMB organizations (organizations with <1,000 employees) agree. This brings up the question – how is security managed in organizations, especially among different sized companies?
Our research examined how the security function is handled at various organizations – in terms of having either a standalone security department, or one department where IT and security are managed together. Close to half (42%) of enterprise organizations said that their security department is separate from IT, while only 15% of SMB organizations reported to have this structure. The majority (85%) of SMBs said that their IT and security departments are managed together, which may explain the low percentage of SMBs that have a top security executive. Nonetheless, SMBs are subject to many of the same security regulations and security demands of their business partners that their enterprise counterparts are; which may drive an adoption of security leaders in those SMB businesses.
It’s also interesting to note that both enterprise and SMB organizations are involved in IT security and physical security decisions; however enterprises are more focused on IT security only decisions.
So who holds significant responsibility in the security areas organizations are investing in? Enterprise organizations are more likely to report that their IT security department has responsibility in the majority of security solutions, while the IT department is more involved among SMB organizations.
While being responsible for security decisions, security executives find themselves having to take time away from these strategic tasks and planning in order to deal with daily unexpected, challenges. Top issues that are stealing time away from security decision-makers include cyber threats from outside the organization (31%), budgetary constraints/demonstrating ROI (28%), meeting governance and compliance regulations (28%), and employee awareness and cooperation issues (27%). These challenges do not vary significantly by company size except for the fact that enterprises find more trouble around meeting governance and compliance regulations, while SMBs find that employee awareness and outside threats are stealing more time away from their strategic goals.
Despite the differences in strategy and structure, security is on the minds of all IT and security executives. There may be alternate roads that lead to security success, but both enterprise and SMB organizations have guidelines in place, executives to oversee practices and investments in security technologies to ensure their organization is protected. However, enterprise organizations are laying out the groundwork that SMBs must follow in the future in order to stay on top of threats and tackle challenges.
Interested in learning more about security structure? Register to download the executive summary “The Architecture of Security: Understanding the Role & Strategy” below.