Fortune 500 Missing CISOs. Who’s Responsible for Security?

• According to the report, 38 percent of the 2019 Fortune 500 haven’t appointed a Chief Information Security Officer (CISO).
• Almost 77 percent of the Fortune 500 have no mention of individuals responsible for security strategy on their websites.

We are being often asked in our personal and professional life to look up to your role model and find some inspiration if we have to succeed. But, here we have an exceptional case from an unexpected group of achievers—Fortune 500.

What’s in the news

To uncover how the world’s leading companies are leading by example to deploy cybersecurity initiatives, Bitglass researched the organizations in the 2019 Fortune 500 and analyzed public-facing information (from what is available on their websites). Here are the Bitglass report findings summarized the 2019 Fortune 500 companies:

• 38 percent of companies are operating without appointing a CISO in position.
• Only 16 percent (of 38 percent) have another executive listed as responsible for cybersecurity strategy, such as a VP of security.
• 62 percent majority do have CISOs but merely 4 percent of them have listed it on their company leadership pages.
• 77 percent of companies have no mention of any individual on their website responsible for security strategy.
• 52 percent of companies do not have any language relating to customer or partner data protection.

"Corporate social responsibility initiatives have made it onto the websites of the Fortune 500, but research has shown that the same level of importance is not being given to publicly demonstrating commitment to cybersecurity initiatives," said Anurag Kahol, chief technology officer of Bitglass. "Lax security and its resulting breaches have long-term repercussions for organizations as well as their customers, shareholders, partners, and other stakeholders. Members of the Fortune 500 should be focused just as much on protecting personal data and consumer privacy as they are on other areas of social responsibility."

More from the report

Bitglass report titled ‘Cloudfathers Fortune 500 Cybersecurity Report’ reportedly scanned the websites of Fortune 500 companies for key cyber-security phrases, job titles, and security mission statements.

According to researchers, levels of engagement with security practices varied widely by industry vertical. Aerospace, finance and technology firms considerably were ahead of its peers in the hospitality, construction and oil and gas industries.

Most security-concerned industries

• With 57 percent of companies dedicating an executive for cybersecurity strategy, the transportation industry was the most secured.
• 33 percent of companies in the aerospace industry and 30 percent in insurance industry came second and third, respectively.
• Interestingly, 89 percent of organizations from aerospace had information hosted on their websites how they protect the data of customers and partners. Aerospace was followed by finance 72 percent and technology 66 percent.

Least security-concerned industries

• Hospitality companies had no responsible executive listed for cybersecurity strategy.
• Following closely, the manufacturing and telecommunications industries had 8 percent and 9 percent of companies, respectively, with authorized personnel for cybersecurity.
• Within each of the construction, hospitality, and oil & gas industries, only 25 percent of organizations had information on their websites about how they offer protection to customer and partner data.

However, Europe-wide regulations such as GDPR require enterprises, processing humongous volumes of customer data, to internally nominate a Data Protection Officer (DPO). Yet, there isn’t a provision that they should be publicly visible.