[Material-Incidents] No. 11

Security - Who Is Running the Show

Hey everyone,

Many of my posts have been on focused on filings and data related to breaches or failings in security programs. I’ve decided to mix it up and expand my analysis. This week (the past two weeks honestly), I’ve reviewed and gathered details on every single 10-K filed to date looking to uncover trends and data on who is running public companies security and risk programs. I wanted to see what could be gleaned about security leadership we’re seeing across our industry. Let’s dive in:

10-K Item 1C. - Who is running the show

The SEC started requiring companies report on their security risk management, strategy and governance this past December when they introduced item 1C for 10-K forms. Since then, there have been ~5k 10-Ks filed and around 3.5k+ filings have contained an item 1C. As I mentioned above, these filings fall across a quality spectrum. Some filings call out not having a cybersecurity risk management program at all, while others go deep into detail on their governance and policies. While reviewing, the main question I wanted to answer from these filings was who is responsible for the security program. Interestingly enough, nearly 85% of the Item IC filings (~2.9k filings) included security leadership information. I don’t want you to have to take my word for it, so I created a dataset where you can search by leadership role/title and see text snippets from the filings referencing those positions.

There was a broad range of positions across these filings, with over 700 total unique titles. Most of these titles are due to slight variations in naming conventions e.g. (Director of Information Technology, Director of IT, IT Director, I’ve tried to normalize across these instances to a singular position) but there are still some unique ones like ‘Health, Safety, and Environmental Director’, ‘Software Engineer’ and ‘Principal Accounting Officer’ leading their orgs. As I expected the Chief Information Security Officer is the most commonly found title, but I’m honestly surprised about some of the most commonly found positions, see below:

I’m not surprised to see the CIO/CTO leading a large portion of security programs. The CFO position is also highly represented, which makes sense if a company views security as a risk management concern. However, I didn’t expect to see as many CEOs leading security programs — feels unlikely that CEOs would prioritize security as much as a dedicated Chief Security Officer/CISO.

Given that CISOs are 2.5x as common as the next closest leader, let’s take a look at the sectors most commonly using CISOs to lead their programs:

Breakdown by sector

Note: Only 778 of the 830 10-Ks referencing CISOs included sector data

My big takeaway: the Utility sector needs more CISO representation, especially when compared to the Financial sector. There are currently 109 publicly traded utility companies in the US, that have a combined market cap of over 1.4 Trillion dollars. Twelve mention having a CISO running their security program, four additional have a CSO, that’s just shy of 15% coverage for some of our most critical energy assets. 450 Financial Services companies have filed an Item 1C, just shy of 50% reported having a CISO at the helm. It’s interesting to see this distribution of leadership across these sectors. I understand the financial services sector is heavily regulated but there’s quite a gap between in leadership representation between it and the utility sector.

Thanks for taking the time read, hope you found this informative. If you enjoyed or found this interesting, let me know!

Best,

Matt