February 17, 2016 By Carl Nordman
Diana Kelley
3 min read

Our colleagues in security have been increasingly (and rightly) raising the alert that security threats are not only the domain of IT, but an enterprisewide concern that necessitates a team approach across the executive suite. As such, the C-suite and its functional teams need more education, understanding and engagement in order have an appropriate, risk-aware posture that helps protect company assets, reputation and the broader business ecosystem (customers, partners, vendors).

The CISO and CIO can only do so much. Frequently, the business engages in a variety of activities to promote company strategy, growth initiatives, capture new markets, develop and roll out new products and penetrate new markets. Increasingly, this involves partnering externally with vendors, contractors, regulatory agencies and more — part of which is sharing business processes, intellectual property and data.

Read the complete report on securing the C-suite

IT and security are usually not involved, but the degree to which the business side of operations incorporates secure practices into everyday activities is becoming more important in light of exponentially increasing cyber risks.

To get a deeper view into the specifics of the C-suite’s concerns and perspectives on cybersecurity, IBM conducted a survey of more than 700 C-suite executives from 28 countries across 18 industries. Participants spanned traditional C-suite roles, compliance officers and legal counsel. This report, “Cybersecurity Perspectives From the Boardroom and C-Suite,” provides insights into the executives’ assessments of risks and challenges, as well as how these assessments align with actual threats.

Cybersecurity Is Important, But It’s Not Always Clear Who the Enemy Is

Two-thirds of respondents view cybersecurity as a top concern that must be addressed. However, they are not clear about which elements of security present the greatest risk.

For example, 54 percent of those surveyed acknowledge risks from organized crime groups. However, many tend to overemphasize the risks from opportunistic rogue actors and discount the dangers from other sources such as industry spies, domestic and foreign governments and inside personnel within the business ecosystem. Understanding the enemy helps optimize risk management and investment in security solutions.

Collaboration Is Essential to Level the Playing Field

It’s generally acknowledged in the security domain that collaborative sharing of incident information is a powerful weapon to combat the bad guys. In fact, the most successful cybercriminals are known to collaborate by sharing information on the Dark Web, the seedier side of the Internet where those with ill intent can interact anonymously.

The good guys, however, are more reticent to collaborate. Over two-thirds of CEOs in our study said they are reluctant to share their organizations’ cybersecurity incident information externally.

Equally concerning is the fact that internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles — chief human resources officer (CHRO), chief marketing officer (CMO) and chief financial officer (CFO) — that have stewardship of the most coveted data sought by cybercriminals (employee, customer and financial information, respectively). These three executives are also the least confident that their organization’s cybersecurity plans are well-thought-out and well-executed.

Organizations Can Benefit From the Lessons of Those Who Have Prepared Well

C-suite participants who indicated they believe their organizations are more secure revealed that they have done more to implement a comprehensive cybersecurity program to detect breaches, prevent incidents and remediate risks. The evidence of that greater preparation is revealed in some things they are more likely to have implemented.

For instance, these C-suite participants indicate they have established an information security office, appointed a chief information security officer (CISO) and implemented a cross-functional governance model that engages the organization from the boardroom to management to employees. Key executives responsible for data most coveted by cybercriminals are more engaged in threat management activities. It’s also likely the CEO of those organizations is more open to collaboration and external sharing of incident intelligence.

C-Suite Considerations

Organizations ready to increase cybersecurity capabilities can look to emulate the cybersecurity elite. First, clarify which actors present the greatest risks and assess the organizational commitment to risk aversion.

Next, improve awareness and drive a more risk-aware culture across the entire organization. Institute a structure for cybersecurity governance, continuous monitoring, incident reporting and response preparation.

Lastly, use collaboration, both internally and externally, to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT infrastructure and business processes.

Download the full Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today