Four in 10 publicly-traded companies disclosing their cybersecurity profiles in 10-K filings specifically mention a dedicated chief security (CSO) or chief information security officer (CISO), according to a recent Board Cybersecurity study.
Although calling out CSOs or CISOs in 10-K filings is not a reporting requirement — the requirements are flexible — it’s noteworthy that it’s not mentioned in 60% of cases, given the importance placed on the role, particularly at large companies,
It’s often CSOs or CISOs who make decisions to engage with managed security service providers (MSSPs). In that context, is the 10-K figure surprising? Are companies lagging in appointing CSOs and CISOs to oversee their cybersecurity issues? How can MSSPs fill in the gaps?
In an examination of 2,178 10-Ks through March 15, 2024 shared by Board Cybersecurity founder Andrew Hoog with MSSP Alert, dedicated security executives (CSO, CISO) were mentioned in only 41% of the 10-K filings.
“I believe it’s generally accepted that key areas of enterprise value (sales, product) or risk (general counsel) should have a dedicated executive,” he said in an email exchange with MSSP Alert. “I think 41% is…
