Security

Breach, blame, repeat: The hard truths of today’s CISO

In this webinar, cybersecurity and counterterrorism expert DIck Clarke warns that it’s no longer a matter of if, but when, an IT breach will occur.

Last updated: September 15, 2025

An avatar of the author
Anna Ralph
Headshot of an older man in a suit with blue overlay, illustrating cybersecurity leadership and CISO risk responsibility
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article summarizes Richard Clarke’s view that today’s Chief Information Security Officers (CISOs) lack the organizational clout, budget, and executive alignment necessary to protect enterprises against growing cyber threats. It outlines real-world problems including limited direct access to CEOs, senior executives who view cybersecurity as merely a technical issue, constrained budgets and staffing, fragmented vendor environments, and the absence of practiced breach response plans. The piece recommends reframing security as enterprise risk management, increasing security investment to roughly 8–12% of IT budgets, securing CEO-approved breach plans, and exercising those plans to reduce operational impact when breaches occur.

Why does Richard Clarke say CISOs need direct access to the CEO?

Clarke argues that CISOs who do not report directly to the CEO lack insight into top-level strategy and struggle to obtain the visibility and resources necessary to defend the enterprise. When reporting structures place the CISO under other executives, security priorities can be marginalized and funding or strategic support may be insufficient. Direct access to the CEO helps ensure security is treated as an enterprise-level concern, improves alignment with business objectives, and increases the likelihood of obtaining the personnel and budget required to mitigate modern cyber risks.

How much should enterprises be spending on security according to the article, and why?

The article cites Clarke’s recommendation that enterprises should expect to spend about 8–12% of their IT budget on security, compared with the typical 3–4% many CISOs currently manage. This increased spend is justified because contemporary threats, mobile and cloud adoption, and eCommerce expansion have raised both the frequency and potential damage of breaches. Security spend should be driven by what the organization needs to prevent and what it needs to protect; inadequate funding makes it difficult to cover staffing, tools, and integrated defenses across an environment that often relies on many disparate vendors.

What does Clarke recommend regarding breach plans and how should organizations prepare?

Clarke emphasizes that every CISO must have a CEO-approved breach plan that covers computer forensics, legal considerations, and crisis communications. Crucially, organizations should practice the plan through realistic run-throughs or simulations so executives and teams experience the operational pain of a breach and learn how to respond effectively. Clarke notes that decision-makers often dismiss exercises as games, but he stresses that simulated drills—conducted even with top leaders—are how organizations truly prepare and reveal weaknesses before a real incident occurs.

Cyber security expert Richard Clarke’s resume is nothing short of remarkable. He is an expert in security risk management and has been security advisor to three U.S. Presidents. So when Mr. Clarke has something to say about what is arguably the most critical role in today’s enterprise, we should listen.

Just having a CISO isn’t a security solution in itself. Clarke believes that today’s CISO does not have the clout they need to adequately protect the enterprise.

Here are the challenges facing today’s CISO:

Limited access to the CEO

If you think that the Chief Information & Security Officer (CISO), with an office in the C-suite, would have the ear of the CEO, you’d be mistaken. The danger of a reporting structure to someone other than the CEO, warns Clarke, is lack of insight into security strategy at the very top of the organization.

Without a direct line to the CEO, CISOs struggle with visibility and face challenges getting the necessary resources to prepare for today’s security risks.

Senior execs who think cyber risk is a technical problem

Nearly 80 percent of CEOs believe that cyber security and IT are strictly tech and compliance issues. That’s a problem. CISOs must learn to effectively communicate, in business terms, the risks and strategies required for proper security measures. CISOs need to speak the language of risk management – something every executive and CEO understands.

Short on budgets and staffing

CISOs generally work with a budget of 3-4 percent. That may have been adequate 15 years ago but it is stretched far too thin given today’s security requirements. It’s simply not enough.

“If you want adequate coverage, expect to spend anywhere between 8-12 percent of your budget on security strategies,” says Clarke.

Your security spend should be based on two things:

  1. What you want to prevent
  2. What you need to protect

Today, a typical large-scale enterprise has an average of 22 (yes, twenty-two) different IT security vendors. As business shifts toward mobile, cloud and eCommerce, security is more critical than ever. And as threats grow bigger, so does potential damage, and so does the cost of containing it.

Lack of a breach plan

Every CISO must prepare a breach plan – and it ought to be CEO-approved, advises Clarke.

It’s important that everyone know exactly what to do the event of a breach. The plan should account for everything from computer forensics, to legal, to crisis communications.

Practice the plan. Do the run-through. Feel the pain. According to Clarke, many executives scoff at the idea of doing a run-through saying they “don’t have time to play games”.

“I’ve played games with Presidents of the United States, with cabinet secretaries, and with Prime Ministers. They play games. That’s how you get ready. Making them live through a breach is how you show them how horrible it can be.”  ~ Richard Clarke

“It’s no longer a matter of if, but when, an IT breach will occur,” warns Clarke. And the CISO is invariably on the hot seat. In this climate of inevitable cyber threats, security as a strategy, deeper resources, and more visibility at the executive level, are critical for the CISO to be truly effective.

 

Published in:

Security

Published on: October 27, 2017

An avatar of the author

Anna is a passionate content writer who’s always eager to learn something new about cyber security.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more